PRYAVING Au. a& 


Study on 
Improving the 
Single Audit Process 


September 1993 


President’s Council on Integrity & Efficiency 
Standards Subcommittee 


PRESIDENT’S COUNCIL ON INTEGRITY & EFFICIENCY 


Standards Subcommittee 


(1993) 


James B. Thomas, Jr., Chair, U.S. Department of Education 

Thomas D. Blair, Smithsonian Institution 

John J. Connors, U.S. Department of Housing and Urban Development 
Charles R. Gillum, U.S. Department of Agriculture 

John C. Martin, Environmental Protection Agency 


Sinole Audit Studv Task F 


Terry Livingston, Chair, U.S. Department of Education 

Jim Childers, U.S. Department of Transportation 

John Fisher, U.S. Department of Health and Human Services 

Jim McKay, U.S. Department of Housing and Urban Development 
Terry Ramsey, U.S. Department of Education 

George Rippey, U.S. Department of Education 

Hubert Sparks, Appalachian Regional Commission 


The Standards Subcommittee gratefully acknowledges the assistance provided by state auditors, 
independent public accountants, Federal, state and local program managers, Offices of Inspectors General 
Staff, and others who responded to the questionnaires and the draft report. This input was essential to 
identifying the problems and developing recommendations. 


Appreciation is expressed to Susan Ahmed with the U.S. Department of Education and James F. 
Loschiavo with the General Accounting Office for guidance with the questionnaire process. Also, 
valuable editing assistance was provided by Myrana Gibler with the Missouri State Auditor’s Office and 
Jerry Skelly with the General Accounting Office. 


Oa 


PRESIDENT’S COUNCIL on INTERGRITY & EFFICIENCY 


STANDARDS SUBCOMMITTE 
September 30, 1993 


Honorable Philip Lader 

Deputy Director 

Office of Management and Budget 
Washington, DC 20503 


Dear Mr. Lader: 


The Single Audit Act of 1984 established uniform entity-wide audit requirements for state 
and local governments receiving Federal financial assistance. Single audit participants 
(Federal, state, and local program managers, state auditors, independent public 
accountants, and Inspectors General) have raised concerns over some aspects of single 
audit implementation. In response, we have performed a comprehensive study of the 
single audit process. The results of this study are described in the enclosed report with 
77 specific recommendations. A summary of these recommendations is presented on 
page 10. 


In performing this study, we obtained information from questionnaires sent to single audit 
participants and from public comments to a February 16, 1993, draft report. Single audit 
participants gave overwhelming support for raising the dollar thresholds for audit, 
providing more effective coverage of nonmajor programs, improving the Compliance 
Supplement, and reducing and simplifying auditors’ reports. Other recommendations 
were also supported. Therefore, we believe the time is right for OMB to promote 
improvements in the single audit process. We ask that you use this study as a basis for 
these changes. 


The Standards Subcommittee will support implementation of the recommendations in this 
study and efforts to improve the single audit. Also, we will monitor and periodically 
report on the status of these recommendations. 


5), fh) 


B. Thomas, Jr. 


400 MARYLAND AVE., S.W. WASHINGTON, D.C. 20202-1510 


L 


CONTENTS 


Page 

Executive Summary ...... 2... 2. cece cece ee eee eee ee ee ee ee teens l 

Study Methodology ........... cc cece cece cece ee ee eee eee eee 4 

Abbreviations and Terms ... 1... cece ee eee eee ee ee eee eee 7 

PEED occ e cee eee ee ee ehheEHO REESE EE CEEHSOEEEODS 10 

Summary of Recommendations ..............ceeeeeeeeeeeese 10 

Details of Recommendations ............. cece eee e ee eecees 14 
Attachments: 

1 - Sampling Approach ......... cc cece cece eee eee eens 104 

2 - Example of Generic Compliance Supplement ................ 106 

3 - Example of Compliance Matrix ............00eeeeeeeees 113 


EXECUTIVE SUMMARY 


Basis for this Stud 


The Single Audit Act of 1984' ("Act") was an outgrowth of several earlier efforts to 
improve audits of Federal programs provided to state and local governments. OMB 
Circular A-128 ("A-128") was issued in April 1985 to implement the Act. 


Federal agencies, independent public accountants, state auditors, and state and local 
program managers have expressed concerns that while the Act is working, the process 
needs to be improved. Also, a General Accounting Office ("GAO") report titled Single 
Audit Act: Single Audit Quality Has Improved but Some Implementation Problems Remain 
(July 1989) recommended single audit changes. The Office of Management and Budget 
("OMB") requested input from the President’s Council on Integrity and Efficiency (PCIE) 
before making any changes. 


As a result, the PCIE Standards Subcommittee agreed to perform a study on how to 
improve the single audit process and appointed individuals from various Offices of 
Inspector General ("OIGs") to a single audit study task force ("Task Force"). Task Force 
members were selected based on their broad experience with single audits and to typify 
the Federal agencies involved in single audits. 


The objectives set forth for the study were to: 


1. Identify perceived problems relating to the single audit; 


2. Determine the validity, extent, and adverse effects of perceived problems; 
and 


3. Make cost-effective recommendations concerning changes to the Act, 
A-128, and other single audit guidance. 


Consistent with objective number 3, a study consideration was to not significantly 
increase single audit costs. For example, a concern that audit coverage was not sufficient 
would not be answered with a simple recommendation to increase single audit scope. 
Increases to the single audit scope would need to be mitigated by efficiencies and 
reductions such as simplifying audit reporting and reducing or eliminating ineffective 
requirements. 


' Public Law 98-502 amended Section 2(a) Subtitle V of Title 31, United States Code. 


1 


Study Methodology 
The basic study methodology was to: 


1. Inventory perceived problems; 

2. Gather data on these perceived problems through questionnaires and other 
inquiries; 

3. Analyze the results of the questionnaires; 

4. Blend the results of the questionnaires with the single audit experience of 
the Task Force to develop a draft report describing the single audit 
problems and recommended solutions; 

5. Expose the draft report for public comment; 

6. Analyze the comments to the draft report and make revisions; and 

7 Issue final report. 


See the Study Methodology section of this report on page 4 for more details. 


Study Results 


Overall the single audit is a significant improvement over the prior approach of auditing 
Federal programs on a grant by grant basis. All groups of respondents generally agreed 
that the objectives of the Act had been achieved and the single audit was an effective 
approach to auditing Federal programs (See section 10 on page 101). Small local 
government managers volunteered in narrative responses that the single audit reduced the 
overlap and duplication from the prior approach to auditing Federal programs. 


Specific recommendations from this study are presented in both a Summary of 
Recommendations starting on page 10 and a Details of Recommendations starting on page 
14, 


The recommendations in this report are those of the PCIE Standards Subcommittee based 
upon the results of this study. Implementation of these recommendations will require 
action by Congress, the OMB, the PCIE, the GAO, Federal agencies (both OIGs and 
program managers), state and local program managers, state auditors, the American 
Institute of Certified Public Accountants ("AICPA"), and the audit community. 


Implementation strategies are provided with each group of specific recommendations. 
Also, Attachment 4 on page 114 provides a list of primary and secondary responsibilities 
for implementing the recommendations. 


This report on its own is not authoritative guidance for current single audits and does not 
modify current single audit guidance. For the changes recommended in this report to be 
effective, there will need to be changes to the Act, A-128, and other single audit guidance 
such as that issued by the AICPA and PCIE. 


Readers of this report will need a basic knowledge of the single audit process. 
Individuals without this background may need to consult with their auditor, OIG staff, 
or other single audit resource persons for guidance in understanding the single audit 
concepts. 


STUDY METHODOLOGY 


Identificati £ Perceived Probl 
The Task Force identified perceived problems relating to the single audit from: 


Issues previously raised to the OMB and the PCIE; 

Concerns observed during desk reviews and quality control reviews; 
Issues identified in published studies on the single audit; and 
Concerns identified from the experience of the Task Force members. 


o 00 6 


Duestionnai 


The Task Force identified five groups involved with the single audit and developed 
questionnaires to obtain data. The five groups were: 


Office of Inspectors General Staff ("OIG Staff") 

Auditors (State Auditors and Independent Public Accountants ("IPAs")) 
Federal Program Managers 

State and large local government managers ("State/Local Managers") 
Small local government managers ("Small Government Managers") 


PP PTS 


The Task Force asked the first four groups the same basic questions. However, 
sometimes particular groups, because of their perspective on the single audit, would not 
have direct knowledge about an area of the single audit. In these cases, additions or 
deletions were made to the questionnaires to ensure that the respondents could answer the 
questions. For example, the Task Force only asked Auditors questions about sample size 
and estimated changes to single audit costs because only Auditors have direct knowledge 
about these areas. Similarly, the Task Force did not ask Auditors about their use of 
single audit products to manage Federal programs because Auditors do not manage 
Federal programs. 


The questionnaires were designed to be answered by persons who were knowledgeable 
about single audits and to solicit responses to specific issues previously raised about single 
audits. These issues included the effectiveness of the single audit in meeting the original 
objectives, validity of perceived problems, possible improvements in auditing internal 
controls and compliance with laws and regulations, and audit reporting. In addition, the 


questionnaires encouraged respondents to provide narrative comments and any additional 
information they believed would be helpful. 


During questionnaire pretesting the Task Force learned that Small Government Managers 
did not work with the detailed specifics of the single audit. A less technical questionnaire 
was needed for their responses to be valid. Therefore, the Task Force developed a 
separate questionnaire to ask Small Government Managers about their use and satisfaction 
with the single audit and whether smaller organizations had unique concerns. This 
questionnaire did not include the detailed specifics asked the other four groups of 
respondents. Therefore, the Responses Sections in this report normally do not include 
responses from Small Government Managers. 


Response Rate 


The following table identifies the number of questionnaires sent, the number of responses 
received, and the percentage of responses for each group of questionnaires: 


Sent Received 
Target Group Number Number Percent 
OIG Staff 35 35 100% 
State Auditors 53 49 92% 
[PAs 150 106 71% 
Federal Program Managers 98 79 81% 
State/Local Managers 170 143 84% 
Small Government Managers 147 111 76% 


See Attachment | on page 104 for details of the sampling approach. 


The Task Force analysis included looking at how strongly a particular group responded 
in relation to how other groups responded. In the Responses Sections of the report, 


references to a particular group are the average of responses by that particular group. 
Other Data Collection 
In addition tc the basic questionnaires described above, a supplemental questionnaire 


concerning dollar thresholds for audit was sent to the OIG Staff. OIGs also collected data 
for this study during quality control reviews ("QCRs") of single audits. 


Exposure Draft 


Over 2,000 copies of an exposure draft dated February 16, 1993, were sent out with a 
request for comments. The distribution included all questionnaire respondents and other 
interested parties. One hundred seventeen comment letters were received with over 1,200 
individual comments. The number of commenters was approximately an even split 
among OIG Staff, State Auditors, IPAs, Federal Program Managers, and State/Local 
Managers. While most commenters indicated general support for the study’s 
recommendations, many commenters had concerns about one or more recommendations 
and offered constructive suggestions. The Task Force carefully reviewed cach suggestion 
and made clarifications and changes that were considered necessary. 


Coordinati ith the GAQ 
The GAO is also conducting a study of the single audit. This study was coordinated with 


the GAO study. Information was shared to allow each study to build upon the research 
and ideas of the other and minimize duplication of effort. 


ABBREVIATIONS AND TERMS 


Abbreviati 


AICPA 


SFA 


American Institute of Certified Public Accountants 
Corrective action plan 

Catalog of Federal Domestic Assistance 
General Accounting Office 

Government Auditing Standards 
Independent public accountants 
Offices of Inspector General 

Office of Management and Budget 
President’s Council on Integrity and Efficiency 
Quality control reviews 
Research and development 

Student financial aid 


Terms 
Act 
The Single Audit Act of 1984. 


A-50 
OMB Circular A-50, Audit Followup, September 29, 1982 


A-128 
OMB Circular A-128, Audits of State and Local Governments, April 12, 1985 


A-128 Q&A 
Questions and Answers on the Single Audit Provisions of OMB Circular A-128, 
issued by the Office of Management and Budget, November 1987. 


A-133 
OMB Circular A-133, Audits of Institutions of Higher Education and Other 
Nonprofit Institutions, March 8, 1990 


A-133 Q&A 
Questions and Answers on OMB Circular A-133, Audits of Institutions of Higher 
Education and Other Nonprofit Institutions, issued by the PCIE Standards 
Subcommittee as Position Statement Number 6, May 1992. 


Auditors 


Governments (A-128 audits) and Compliance Supplement for Audits of Institutions 
of Higher Learning and Other Non-Profit Institutions (A-133 audits) each list 
compliance requirements for their respective audits. The auditor uses the 
Compliance Supplement applicable to the entity being audited for general 
requirements. Since individual programs are not repeated between the 
supplements, the auditor should review both Compliance Supplements to determine 
whether the specific requirements of a particular program are listed. 


Clusters of Programs 
Different closely related programs with the same purpose and different CFDA 
numbers. These programs are functionally the same and often have similar 
compliance requirements. 


Terms 


Controls Over Compliance 
Internal controls established to ensure compliance with laws and regulations. 


IG Act 
The Inspector General Act of 1978, as amended. 


Issue 


The process of OIGs accepting an audit report prepared by a non-Federal auditor 
and issuing it as an OIG report. 


OIG Staff 
Office of Inspectors General Staff. 


Orange Book 
Federal Cognizant Agency Audit Organization Guidelines issued in October 1985 
by the PCIE Single Audit Committee. 

Programmatic Compliance 
Current specific compliance requirements, general compliance requirements for 
which the auditor can provide an opinion, and subrecipient monitoring. 


State/Local Managers 
State and large local government managers. 


Small Government Managers 
Small local government managers. 


Task Force 
Single audit study task force. 


STUDY RESULTS 


Summary of Recommendations Page 
l DOLLAR THRESHOLDS FOR AUDIT ... 2... ee eee ees 14 
1.1 ific Audits ......... 14 
1.1(a) Raise the threshold for requiring an audit from $25,000 to $100,000 .... 15 

1.1(0) Raise the threshold for requiring a single audit from $100,000 to 
eee ee eee er ee eee eer ee ee eee 15 

1.1(c) Permit a program-specific audit anytime an entity has only one Federal 
program, regardless of the amount of funding received ............ 15 
2 MAJOR/NONMAJOR PROGRAM AUDITING .... 2... cc eee eee 17 
2.1  [goprove Audit Coverage of Nonmaior Programs .... . 2... ccc eennes 17 


Improve Audit Coverage of Nonmajor Programs 

2.1(a) Treat nonmajor programs selected for internal control testing under the 
50% rule as major programs for compliance testing and reporting 

2.1(>) Provide a procedure for Federal agencies to pay to have selected 
nonmajor programs audited as major ..... 2... eee eee 20 

2.1(c} Remove requirements for internal control coverage unique to nonmajor 
programs unless they are tested as major programs under the 50% 
rule 


program transactions otherwise selected during the audit........... 20 


programs will be tested as major 2... 6 ees 24 


Update the Compliance Supplement on a Regulai Schedule 
3.1(a) Revise the Compliance Supplement regularly, at least once every two 


PPP PTererreeeerereeeeEl CEPT rrrirrrere 29 
3.1(>) Establish a project team to update the Compliance Supplement as a 

GR ED cg wc ccc ccc ccc ccc cece ccceseceeeoceces 29 
3.1(c) When laws and regulations change, require Federal agencies to promptly 


submit Compliance Supplement changes 
3.1(d) Develop criteria for what should be included in the Compliance 


3.2 


Compliance" 
3.2(b) Improve the Compliance Supplement guidance on indirect costs ....... 34 
3.2(c) Reclassify Civil Rights and Drug-Free Workplace Act from general 
requirements to requirements to be tested as part of internal controls... 34 
3.2(d) Imctude compliance requirements and suggested audit procedures that are 

the same for many Federal programs once in an appendix rather than 


3.3 


3.3(0) Review the suggested audit procedures for Civil Rights and Drug-Free 


wresmgease ¢ comune Gat Gay enest Geely tetunied purpose eeceeesen 38 
3.4 0 ( terna\ Controls ............ 39 
3.4(a) Add a new Compliance Supplement section to provide specific guidance 
on typical or suggested Controls Over Compliance ............... 40 
3.4(b) Modify the Compliance Supplement to identify those compliance 
re Se ee eee mene anes 0 GEES ... 40 
3.5 th R : i : 
subrecipients 
3.5(b) Identify high risk audit areas in Federal programs ............... 43 
ae Se Se on Oe 6 ee O58 00504 406444682 44 
3.6 ! 
rep operat 4 boneeeeneesteces 46 
3.6(b) Provide a generic Compliance Supplement ..................... 46 
3.6(c) Provide more specific guidance on suggested audit procedures ........ 46 
Subrecipient Monitori 


Ts ee io ae ee en et oe > en 
sufficient tests to support an assessed level of control <isk of low for 


each program tested as major ......... 0... cee eee cece eens 54 
4.1(0) Allow the auditor to not perform internal control testing when internal 

controls are ineffective and to assess the risk at the maximum ........ 54 
4.1(c) Indicate the expected sample size for compliance tests in the Compliance 


py Ay eee mee TUTTTELILELETTTTrTTrT 54 


epee directly 


to Federal agencies when they sce problems in Federal programs ...... 62 

5.3 Improve Timeliness of Audit Reportg ... 0.0... ccc cece eee eee eects 64 
5.3(a) Shorten the due date for single audit reports to seven months. Provide 

an exception of ten months for states and large local governments ..... 66 

5.3(b) Update the Orange Book to streamline OIGs’ procedures ........... 66 


11 


5.4 


5.5 


5.6 


5.7 


5.8 


5.4(a) Require the a yo and compliance to 


reference a matrix that identifies the tvpes of compliance requirements 
_ on a oa Sa eae Sabeeeaseeeneewaceseess 68 


5.6(a) yy TTCrerTrr 74 
5.6(b) When there are many findings and recommendations, encourage the 
auditor to include an executive summary STTTTTTCCT TT Te Tee 74 


Improve Audit Resolution 
5.7(a) Provide feedback in the resolution documents to help auditors understand 

why findings were not sustained ................c ee eeeeeees 77 
5.7(b) When the entity wishes additional documentation to be considered in 

2 oa a a ea 


TE i6o pO 6666466006660 0600400080665 06608808 468 77 
Improve Audit Followup ... 1.1... ccc eee eee ee eee eee ee ees 78 
5.8(a) Require management to include an assertion on the status of prior 

findings with the single audit report ...............000e eee 79 
5.8(0) Require the auditor to attest to the accuracy of management’s assertion 

of the status of prior findings .............. 0.2 ceeeecceeees 80 


DATIET GOTT occ ccc ccc ccc ccc rerccnecneeneeeeseescvens 87 
8.1 Regularly Evaluate and Update Cognizance ... 1... cere eee eee ewes 87 
8.1(a) Review assignment of cognizance every three years ............... 88 

8.1(b) Set up a process for the cognizant agency and another Federal funding 
agency to have cognizance changed for good reason .............. 88 


8.1(c) Base cognizant assignments primarily on the extent of direct funding ... 88 
8.1(d) Clarify that cognizance for single audit and indirect cost rates need not 


Pree ae ee ee eee ee ee 88 

TECHNICAL CHANGES ......... cece wee eee eee eee eee eee eee eeees 89 

9.1 [dentification of Federal Funds ..... 0... cece eee ee ee eee eee 89 
9.1(a) Require identification of Federal funds awarded to recipients or passed 

through to subreciplents 2.0.0 eee eee 90 


9.2 


9.3 


sols Siesta ctaeth a meee ata ee ee Gea en 91 
9.2(a) So pe EER 
rere 91 
9.2(0) Define R&D and SFA as separate programs .................... 92 
9.2(c) Determine the oversight agency based on the predominant amount of 
direct funding rather than total funding ...................... 92 


9.2(d) Enhance the concept of an oversight agency to allow such agencies to 
assume the responsibilities normally performed by a cognizant agency .. 92 

9.2(¢) Update single audit guidance for current termimology.............. 92 

oe Clarify that procurement contracts are not included as Federal awards .. 93 


ee eeeeenenaserees 94 

9.3(6) Clarify that the auditor’s responsibility for auditing Federal program 
income is the same as the responsibility for auditing Federal awards ... 95 

9.3(c) Clarify the basis for determiming awards received ................ 95 

9.3(d) Require the single audit reports to identify programs tested as major ... 95 

9.3(e) Clarify that subrecipients should only send single audit reports to 
organizations 


directly awarding Federal funds to the entity.......... 95 

9.3(f) Clarify that the auditor is required to issue an opinion on compliance for 
each major program 20. wt te eee eee eee eee 96 
9.3(g) Clarify entities and sources of funding covered by the single audit ..... 96 

9.3(h) Clarify that entities audited under A-128 must follow the administrative 
a ae a ae ee Cu ae - 

ase Ceti Gib tie Midis ds th celts eles bs tte eis bb bs 
financial statements and the single audit................00000: 96 

9.3(j) Clarify that the Compliance Supplements set forth the major compliance 
requirements that should be considered in a single audit ........... 97 
9.3(k) Update an A-128 reference to reflect the Common Rule ............ 97 
9.3(1) Administer a single source for Federal single audit guidance ......... 97 

9.3(m) Clarify the auditor’s responsibility to verify accuracy of Federal 
(ss rrr rrr PTE LTEEEEL TT LEEELELrTrrTrrr 97 
> CPP PPTTTTEPEPETECEEEPCLTTITCTTeLTrrreyrerrrerrrrre 99 


meh terrerttredrreirre trent - 
5044000600066 0040006 04646645000 90846884888 1 
9.4(b) Provide training to help auditors understand the internal control and 


Se Cees © Se ae Oe a ee 


64065060 0000065 054006006068 60 ROR eee eee 100 

9.4(c) | MRIS PORES ERES ECEEREEESUSTSSEEP LESSEE 
that are common to several Federal programs ................. 100 
SINGLE AUDIT OBJECTIVES .......... cc ccc ee ee ee eee eee eee ee eees 101 


13 


STUDY RESULTS 


Details of RB lat 


1 DOLLAR THRESHOLDS FOR AUDIT 


The current dollar thresholds under the Act require audits of entities with small amounts 
of Federal funding. These audits of such small amounts may not be cost effective. 


Current Requirements 


An audit is required when an entity receives Federal assistance totaling $25,000 or more 
a year. A program-specific or a single audit may be performed when assistance is at least 
$25,000 but less than $100,000, and the single audit is required when assistance is 
$100,000 or more a year. 


Responses 


The Task Force sent a supplemental questionnaire to the 35 OIG Staff and received at 
least one response from each Inspector General ("IG") organization. The questionnaire 
asked for opinions on the appropriate dollar thresholds to require any Federal audit and 
to require the single audit. OIG Staff were also asked whether entities with only one 
program should be permitted to have a program-specific audit, regardless of the amount 
of Federal assistance. 


There was substantial support from the OIG Staff for raising the thresholds. Specifically 
they supported raising the threshold for audit from $25,000 to $100,000 and raising the 
threshold for requiring a single audit and no longer accepting a pvogram-specific audit 
from $100,000 to $250,000. The OIG Staff also supported permitting entities receiving 
Federal assistance under only one program to have the option of having a single audit or 
an audit of the one program, regardless of the amount of assistance. 


14 


Since the Task Force was not able to address this issue with other respondents, the cover 
memo for the February 16, 1993 draft report specifically asked for the opinions of 
program managers and auditors.” The individuals and organizations who commented on 
the draft report indicated support for raising the dollar thresholds consistent with the 
questionnaire responses from the OIG Staff. 


Task Force Analysis 


The Task Force is concerned that when the amount of Federal assistance received is 
small, requiring an audit, or particularly a single audit, may not be cost effective. Also, 
the current dollar limits have not been changed since the Act was passed in 1984 and at 
a minimum, should be raised because of inflation. 


Recommendations 


1.1(a) Raise the threshold for requiring an audit from $25,000 to $100,000. This 
change would exempt entities receiving Federal financial assistance totaling less than 
$100,900 a year from the audit requirements of the Act. 


The Task Force was not able to determine the number of entities receiving between 
$25,000 and $100,000 that would no longer be required to have an audit because entities 
receiving less than $100,000 are not required to file their reports with the Bureau of 
Census Federal Audit Clearinghouse ("Clearinghouse") and many are subrecipients that 
are not required to file their reports with a Federal agency. However, based upon the 
responses from the OIG Staff and the comments to the February 16, 1993, draft report, 
the Task Force believes this increase from $25,000 to $100,000 is reasonable. If the 
recommended threshold is considered too low, then additional data should be gathered to 
support further relaxing the audit requirements. 


1.1(0) Raise the threshold for requiring a single audit from $100,000 to $250,000. 
This change would permit an entity that receives between $100,000 and $250,000 a year 
in Federal financial assistance to elect to have either a program-specific audit or a single 
audit. 


1.1(c) Permit a program-specific audit anytime an entity has only one Federal 
program, regardless of the amount of funding received. This change would permit 
any entity receiving assistance under only one program to have a program-specific audit 
for that one program in lieu of the single audit. 


? A copy of this memo and the February 16, 1993, draft report were sent to everyone who responded to the 
15 


Sometimes it would be appropriate for a cluster of similar programs to be considered a 
single program for determining whether a program-specific audit may be performed. See 
recommendation 3.8(a) on page 50 concerning using the Compliance Supplement to 
define Clusters of Programs. 


Other Considerations 


The intent of these recommendations is to reduce the burden on smaller organizations. 
Another way to accomplish this would be to extend the provision for biennial audits. 


16 


2 MAJOR/NONMAJOR PROGRAM AUDITING 


2.1 Improve Audit Coverage of Nonmajor Programs 
Concern 


Limited internal control and compliance testing is performed for nonmajor programs and 
the testing that is performed is not very effective. 


Current Requirements 
The auditor is required to gain an understanding and assess risk for internal controls over 


all nonmajor programs. Testing of internal controls and compliance is only performed 
under the following circumstances:? 


0 Nonmajor program internal controls are tested when the entity is under the 50% 
rule. (The 50% rule requires that when major program expenditures are less than 
50% of total Federal expenditures, the auditor must test controls over all major 
programs and selected nonmajor programs until controls over at least 50% of total 


Federal expenditures are subjected to testing.‘) 


o Nonmajor program transactions otherwise selected during the audit are tested for 
compliance requirements applicable to the specific transaction. 

° Federal agencies that require audit coverage in addition to single audits are 
required to make or arrange for the additional audits and the funding for these 
audits. 


Responses 

Federal agency respondents (Federal Program Managers and OIG Staff) agreed more with 
the following statements about the single audit than did non-Federal respondents (State 
Auditors, IPAs, and State/Local Managers): 


° Nonmajor program testing is insufficient. 


* Under certain circumstances, testing is required for general requirements of nonmajor programs. However, 
this is not significant to the points discussed here. 


* AICPA SOP 92-7, Paragraph 4.9. 
17 


° Improvement could be expected from increased testing of nonmajor programs for 
internal controls and compliance. 


Also, in narrative responses, some Auditors questioned the effectiveness of only gaining 
an understanding and assessing risk for internal controls without testing internal controls. 


Task Force Analysis 
Federal Program Managers whose programs are smaller in dollar size and classified as 
nonmajor in single audits have expressed concerns that their programs are never audited. 


The Task Force agrees the single audit provides little direct audit coverage of nonmajor 
programs unless they are selected under the 50% rule. 


The Task Force was also sensitive to the need to minimize any cost increases for single 
audits. Therefore, the Task Force looked for cost-effective ways to modify and enhance 
current audit coverage of nonmajor programs as well as ways to eliminate requirements 
that were not effective. 


Enhance Current Nonmajor Program Coverage 


The 50% rule’s requirement to test controls over selected nonmajor programs so that at 
least 50% of Federal expenditures are covered sets a base line for testing internal 
controls. While testing internal controls for selected nonmajor programs usually provides 
some level of compliance testing,’ there is no 50% base line for testing compliaace. 
Also, the extent of internal control testing required is not clear (see discussion in section 
4.1 on page 51), and the selected nonmajor programs are not included in the auditor’s 
opinion on compliance. 


The Task Force believes that the base line for testing under the 50% rule should include 
testing of compliance in addition to the currently required testing of internal controls. 
The extent of compliance testing should be sufficient to support an auditor’s opinion on 
compliance. This change would provide meaningful audit coverage of selected nonmajor 
programs at a minimum cost increase.° 


Although a Federal program does not meet the dollar threshold to be tested as a major 
program, there may be particular reasons it should be audited. These reasons include 


being significant to a particular Federal agency’s mission or having a higher risk for 


* Compliance testing is usually included with internal control testing because the auditor often tests compliance 
to determine whether the control is working. Also, nonmajor program transactions selected for internal control 
testing must also be tested for compliance as transactions otherwise selected during the audit. 

® It should be noted that the 50% rule normally affects smaller entities so enhancements to also require 
compliance testing under the 50% rule would most often affect smaller entities. 


18 


fraud, waste, or abuse. Currently, under the Act, Federal agencies can only receive 
meaningful audit assurances for nonmajor programs if they require and pay for additional 
audits. While any additional audits should build upon the single audit, they require 
additional coordination by auditors and added audit reporting. It also imposes additional 
administrative burdens and costs to obtain the desired level of nonmajor program 
coverage. A more efficient approach would be to expand the scope of the single audit 
to include selected nonmajor programs. 


Remove Ineffective Requirements 


The Task Forces believes the current requirement to only gain an understanding of 
internal controls unique to nonmajor programs (those not tested under the 50% rule) is 
ineffective. To gain the understanding of internal controls, some auditors send clients 
questionnaires to complete. The auditor may perform limited follow-up procedures 
(telephone calls) when the client responds with control problems. However, a site visit 
aixd actual walk-through of transactions may not be performed. Although this approach 
may be efficient, the Task Force believes this type of correspondence and telephone 
auditing is not effective. While many auditors use more effective approaches, the Task 
Force agrees with the narrative comments from Auditors that it is not effective to only 
gain an understanding of internal controls without testing them. 


Also, the Task Force believes the current approach of compliance testing nonmajor 
program transactions otherwise selected during the audit is not effective. Normaily very 
few transactions are selected from any one program. This does not provide useful 
information about a Federal program’s compliance. For example, to test two transactions 
and determine that one was not in compliance provides no assurances about the balance 
of a program’s transactions. In a single audit, when exceptions are found in nonmajor 
program testing, the auditor is only required to report the exceptions. The auditor is not 
required to expand the sample or otherwise determine the level of noncompliance for a 
nonmajor program.’ Also, it is difficult for the auditor to determine the cause of 
exceptions when only a few transactions are tested. 


Recommendations 


2.1(a) Treat nonmajor programs selected for internal control testing under the 50% 
rule as major programs for compliance testing and reporting. This change will 
increase audit coverage of nonmajor programs at entities where major programs are less 
than 50% of Federal financial assistance. Also, for entities that previously had no major 
programs, this change will require at least one or more programs to be tested and 
reported on as a major program. The cost increase should be small, since under current 


’ The only exception to this statement is the rare case when noncompliance for a nonmajor program could 
materially affect the entity’s financial statements. 


i9 


practice, testing of internal controls must cover at least 50% of expenditures and 
nonmajor program transactions selected for internal control testing are required to be 
compliance tested (as transactions otherwise selected during the audit). 


2.1(0) Provide a procedure for Federal agencies to pay tc have selected nonmajor 
programs audited as major. The single audit provides little specific coverage for 
individual nonmajoy programs. Implementing recommendations 2.1(c) and 2.i(d) will 
eliminate all specific audit coverage of nonmajor programs unless they are tested as 
major. This recommendation will provide a Federal Program Manager (or prime 
recipient in the case of a subrecipient) a procedure to obtain full major program audit 
coverage for a nonmajor program. Federal agencies will need to give the entity sufficient 
advance notice so the entity can arrange with their auditor to audit the selected program 
as major. 


Consistent with current requirements, the grantor of the nonmajor program must clearly 
pay the full additional costs of expanding the single audit. (*herwise, this 
recommendation will not be consistent with the single audit being in lieu of other audit 
requirements. Federal agencies could use such methods as increasing the current budget 
for administrative expenses or providing additional funding to pay the additional costs. 
Some program laws may need to be changed to allow Federal agencies ‘o pay the full 
amount of the additional cost. 


Benefits of this recommended approach are lower audit procurement costs, lower audit 
costs, and elimination of the need for separate audit coordination and reporting. 


2.1(c) Remove requirements for internal control coverage unique to nonmajor 
programs unless they are tested as major programs under the 50% rule. This change 
reduces single audit costs by removing an ineffective requirement and simplifies internal 
control reporting. However, internal controls over nonmajor program transactions may 
be covered with the financial statement or major program segments of the single audit. 
This coverage occurs because major and nonmajor program transactions are often 
processed by the same systems. 


2.1(d) Remove the current requirement for compliance testing of nonmajor program 
costs by removing an ineffective audit requirement and simplifies compliance reporting 
by eliminating the compliance report on nonmajor programs (see recommendation 5. !(a) 
on page 60 to reduce the number of single audit compliance reports). 


Other Considerations 


Recommendation 2.1(a) should be implemented with specific cost savings such as those 
recommended in 2.1(c) and 2.1(d). 


IMPLEMENTATION STRATEGY 


Recommendations 2.1(a) and 2.1(b) 
The Implementation Strategy for recommendation 2.2(a) on page 27 will allow the 


OMB to define criteria for which programs will be tested as major. This will also 
allow OMB to change A-128 to: 


- Require that programs tested as major represent at least 50% of total 
Federal financial assistance. 


- Allow Federal agencies to designate a program as major when the Federal 
agency agrees to pay the full incremental costs of this action. 
Recommendations 2.1(c) and 2.1(d) 
The OMB and GAO should work with Congress to amend the Act to: 


- Modify the requirements concerning auditing internal control systems to _ 
apply only to programs tested as major. (see Act { 7502(d)(2)(B)). 


- Remove the requirement to test transactions otherwise selected during the 
audit (see Act { 7502(d)(2)(C)). 


A-128 will also need to be changed after the Act is chenged. 


21 


Often the same programs are tested each year as major programs even though they have 
good systems of internal control and no previous findings. By contrast, other programs 
may have significant internal control weaknesses or compliance problems but are not 
tested because they are not classified as major programs. 


Current Requirements 


Major Programs 

Major programs are tested both for internal control and compliance. For internal controls 

over major programs, the auditor is required to gain an understanding, assess risk, and 

test controls. For the specific compliance requirements the auditor is required to perform 
ient audit procedures to support an opinion on specific compliance for each major 

program. 

For the general compliance requirements the auditor is required to perform audit 

procedures as listed in the OMB Compliance Supplement for Single Audits of State and 


Local Governments ("Compliance Supplement"). These procedures lead to an audit 
report of positive assurance on items tested and negative assurance on items not tested. 


Nonmajor Programs 


The explanation of current requirements for nonmajor programs is found in section 2.1 
on page 17. 


Major/Nonmajor Program Criteria 


The current definition of major programs is based solely on dollar thresholds as defined 
in the Act. For entities receiving less that $100 million, a major program is any program 
having Federal expenditures during the year that exceed the larger of $300,000 or 3% of 
total Federal expenditures. When expenditures exceed $100 million, the Act provides a 
table specifying dollar thresholds. Any Federal program not meeting the criteria of a 
major program is classified as a aonmajor program. 


Responses 


Auditor respondents expressed a higher level of support for reducing testing for low risk 
major programs than did other respondents. Narrative responses from Auditors supported 
the combination of increased coverage of high risk nonmajor programs and decreased 
coverage of low risk major programs. 


Some State Auditors expressed concern that many Federal programs are audited as major 
programs year after year without any significant findings. They said that these programs 
have been thoroughly audited, that program staff have improved internal controls and 
corrected significant problems, and that there has been a decline in reportable conditions, 
noncompliance, and questioned costs.* Some State Auditors agreed with concerns 
expressed by Federal Program Managers that many nonmajor programs receive little or 
no audit testing under the single audit. 


All groups of respondents indicated that if nonmajor programs were to be tested, a risk- 
based approach for selecting which programs to test would be preferable to a random 
selection. 


Task Force Analysis 


Auditors are required to audit all Federal programs meeting the dollar threshold for major 
programs. There is no provision to exclude low risk major programs that have been 
audited many years without exceptions noted by auditors. Similarly, the auditor has no 
responsibility to perform additional audit procedures on nonmajor programs, even if the 
auditor believes they have a high risk of noncompliance. The only exception to this 
statement is the rare case when noncompliance for nonmajor programs could materially 
affect the financial statements of the entity. 


The Task Force agrees with arguments for a risk-based approach to select Federal 
programs to be tested as major. When the same program is audited for the same 
compliance requirements, year after year, without any significant internal control or 
compliance findings, and the conditions have not changed for the current year, it is not 
likely the auditor will find significant problems in the current year. 


The Task Force also agrees that in entities where major programs comprise over 50% of 
Federal assistance, there may be nonmajor programs that will never be effectively tested 
under a single audit. Although these nonmajor programs may have a high risk of 
noncompliance or be significant to the Federal agency providing the funding, they may 


* National State Auditors Association Position Paper on the Single Audit dated February 1993. 


23 


not be audited. The single audit only requires significant testing for major programs and 
major program determination is based solely on dollar threshold. 


The coverage of nonmajor programs was reduced further when states switched from a 
department-by-department single audit to a state-wide single audit. For example, in a 
department-by-depariment single audit the dollar threshold for determining major 
programs was lower and more Federal programs were classified as major. Changing to 
a state-wide single audit increased the base of Federal programs and that increased the 
dollar threshold for major programs. Therefore, fewer Federal programs were classified 
as major and programs that had previously met the dollar threshold for major were 
classified as nonmajor. 


In contrast, the Task Force is concerned that sometimes Federal agencies know their 
programs will be classified as major and are relying on the major program coverage 
under the single audit. The Federal Program Managers may be uncomfortable with a 
reduction of audit coverage without approval from their agency. 


A key consideration before recommending increased single audit coverage of nonmajor 
programs is audit costs. Therefore, the Task Force believes the costs of any increases 
in audit coverage of nonmajor programs should be mitigated by other single audit 


Recommendation 


2.2(a) Begin a pilot project to use a risk-based approach to determine which 
programs will be tested as major. This pilot will be limited to audits at the state level 
and will require Federal approval. Audits of states were chosen for the pilot because 
State Auditors have expressed the most concern over this issue. Approval would be from 
the Federal funding agency, but coordinated by the cognizant agency OIG. Following 
is a recommendation on how the pilot should be set up. 


Methodology to implement pilot: 


The auditor (State Auditor or IPA engaged to audit a state level entity) would first 


identify major and nonmajor programs using the current dollar thresholds. The auditor 
would then identify low risk major programs to be concidered for exclusion and high risk 


nonmajor programs to be tested as major programs during the current audit. In making 
these determinations, the auditor should use the guidance in the Criteria to identify risk 


in major and nonmajor programs section on page 26. 


For a major program to qualify as low risk (and be eligible for exclusion), it should have 
been audited as a major program in one of the two most recent audit periods and be free 
of significant: 


o Internal control weakness,” 

° iNoncompliance,” or 

0 Questioned costs.° 

"Either individually or cumulatively. 


A major program should only be excluded from testing when there have been no 
significant changes since the prior audit. Significant changes would include changes in the 
program’s operations, internal controls, or laws and regulations. Determining significant 
changes requires the auditor to gain an understanding of current year internal controls 
over low risk major programs. 


The auditor would need to obtain Federal approval for not auditing certain programs as 
major. The expected process would be for the auditor to write the cognizant agency OIG 
explaining why certain otherwise major programs are low risk and requesting approval 
to not audit them as major during the current audit. The cognizant agency OIG would 
contact the Federal funding agency OIG and request concurrence. The Federal funding 
agency OIG would consult, as necessary, with agency program officials before giving 
approval. The cognizant agency OIG would be responsible for ensuring that the entity 
auditor receives a response within 60 days after the cognizant agency OIG receives the 
request. 


For each low risk major program not audited during the current year, the auditor should 
select one or more high risk nonmajor programs to be audited as a major program. It 
would not be necessary for the cognizant agency OIG or Federal funding agency OIG to 
approve which nonmajor programs are considered high risk and are to be audited as 
major. However, to avoid concerns during desk reviews and quality control reviews, the 
auditor should provide written notice to the cognizant agency OIG and affected Federal 
funding agency OIG of these changes in programs audited as major. 


Also, at least 50% of all Federal assistance must be audited as major programs to be 
consistent with the 50% rule. (See recommendation 2.1(a) on page 19 that would expand 
the 50% rule to cover both internal controls and compliance testing.) 


Criteria to identify risk in major and nonmajor programs: 

The auditor, after consulting with management of the audited entity, should use criteria 
such as the following to identify low risk major programs and high risk nonmajor 
programs: 


°o 


Larger dollar value of expenditures would indicate higher risk. Federal programs 
that are close to the major program threshold would be more likely to be audited 
as major. The single audit would not be expected to test clearly insignificant 


programs. 


Weaknesses in internal controls (including controls over compliance with laws and 
regulations) would indicate higher risk. When identifying risk in a large entity 
wide audit, consideration should be given to whether weaknesses are isolated in 
a single operating unit (e.g., one state department) or pervasive throughout the 
entity. 


Risk could be higher for programs identified as high risk by Federal agencies 
(e.g., programs on the OMB high risk list). 


Any monitoring or other review by a Federal agency during the prior or current 
audit period should be considered in determining risk. For example, a monitoring 
review that reported significant exceptions would indicate higher risk. 


The nature of a program may indicate risk. For example, programs that disburse 
funds through procurement and contracting or have eligibility criteria may be of 
higher risk. Programs involving primarily staff payroll costs may have a high risk 
for time and effort reporting, but otherwise be at low risk. 


Significant prior audit findings would indicate higher risk, particularly when 
findings have not been properly corrected. 


Programs not previously audited as major would be considered to have a higher 
risk than programs recently audited as major without significant exceptions. 


A program administered by multiple operating units with different systems of 
internal control would indicate higher risk. 


The system for monitoring subrecipients (including reviewing subrecipient audit 
reports) should be part of the risk analysis. For example, when significant parts 
of a program are passed through to subrecipients, a weak system for monitoring 
subrecipients would indicate higher risk. 


° The phase of a program in its life cycle at the entity may indicate risk. For 
example, the first and last years of the life cycle of a Federal program might be 
considered higher risk. 


As part of the risk evaluation the auditor may also wish to discuss a particular program 
with the funding Federal agency. 


Evaluation of pilot: 


After two audit cycles, the OMB and the PCIE should evaluate the results of this pilot 
project and determine whether this risk-based approach has resulted in more effective 
single audits. 


The OMB and GAO should work with Co 

OMB to prescribe the criteria for determining or prams | 
‘This method wil reps the curent method of speieal 
patty Map hi won 8 ges | 


27 


3 COMPLIANCE SUPPLEMENT AND COMPLIANCE REQUIREMENTS 


The Compliance Supplement needs to be updated regularly to provide auditors with 
current requirements. 


Current Requirements 
The principal compliance requirements of the largest Federal programs are listed in the 
OMB Compliance Supplement. The first Compliance Supplement under the Act was 


issued in April 1985. It was updated five years later with the current Compliance 
Supplement issued in September 1990. 


Responses 


In narrative responses all four groups of respondents (OIG Staff, Auditors, Federal 
Program Managers, and State/Local Managers) cited the need for more frequent updates 
to the Compliance Supplement. 


Task Force Analysis 

Currently there is no regular schedule for updating the Compliance Supplement. 
Although the OMB has just started the process for a current update, the Task Force 
expects it will be at least late 1993 before the next update is issued. The Task Force 


believes there should be a process in place to ensure that the Compliance Supplement is 
updated at least once every two years. 


Federal agencies rely upon non-Federal auditors for compliance tests of Federal 
programs. The Compliance Supplement conveys the Federal agencies’ expectations for 
these tests. Current audit procedures require the auditor to research and determine 
whether the laws and regulations in the Compliance Supplement are current, and if not, 
to make appropriate changes to audit procedures. It is cumbersome to require many non- 
Federal auditors each to search for changes in laws and regulations. It would be more 
efficient for Federal agencies to make timely changes to the supplement. Also, providing 
more current guidance mitigates the risk that non-Federal auditors may interpret changes 
differently from Federal agency expectations. The Compliance Supplement must be kept 


28 


current to ensure non-Federal auditors are applying the appropriate criteria when auditing 
Federal programs. 


The Task Force believes that one reason the 1990 update took three years to complete 
was that criteria were not stated for what should be included in the supplement. The lack 
of clear criteria resulted in a lengthy negotiation process among the Federal agencies 
(who wanted the supplement to include as many requirements as possible), the OMB (who 
wanted to keep the Compliance Supplement requirements to a manageable size) and the 
audit community (who wanted specific guidance on the requirements to be tested as well 
as to limit the number of requirements). 


Recommendations 


3.1(a) Revise the Compliance Supplement regularly, at least once every two years. 
The revision process should systematically address new Federal programs and their 
requirements as well as requirements no longer applicable or significant for existing 
programs. Changes should only be made when the laws or regulations have changed or 
when the Federal agencies can show significant problems with current requirements or 
Suggested audit procedures. When changes are made in Compliance Supplement 
requirements, the effective date or effective period for each change should be specified. 


Once regular updates are occurring on a two year basis, the update schedule should be 
enhanced to annual updates at a the same time each year. Consideration should also be 
given to distributing interim updates to the Compliance Supplement through an electronic 
bulletin board administered by the OMB or its designee. 


The auditor should not be expected to routinely research program laws and regulations 
to determine whether there have been changes. However, the auditor should be expected 
to be alert to changes, inquire of the auditee concerning any new requirements or 
program changes, and review the interim risk alerts as discussed in recommendation 
3.5(c) on page 44. Also, the auditor may need to study program laws and regulations to 
more fully understand the compliance requirements. 


A goal of regularly updating the Compliance Supplement should be that it would be a safe 
harbor for identification of compliance requirements to be tested. Auditor judgment 
would still be necessary to determine the extent of audit procedures for compliance 
requirements. 


3.1(b) Establish a project team to update the Compliance Supplement as a 
continuous process. Since changes to Federal laws and regulations are ongoing, 
updating the Compliance Supplement also should be ongoing. One method would be for 
the OMB to delegate the staff work of updating single audit guidance to the PCIE. The 


29 


PCIE has personnel who regularly work with single audits. Although the OMB should 
retain final approval authority for the updates, a staff dedicated to keeping single audit 
information current would help ensure that other priorities did not supersede regular 
updates. 


This project team could also be responsible for other Compliance Supplement 
enhancements recommended in this section. However, any changes to the Compliance 
Supplement would need to involve Federal program managers who more thoroughly 
understand program objectives, laws, and regulations. 


3.1(c) When laws and regulations change, require Federal agencies to promptly 
submit Compliance Supplement changes. Updating the Compliance Supplement should 
be a continuous process. The best method to provide recommended changes is as part 
of the implementation process for new laws and regulations. To ensure timely updates, 
Federal agencies should submit recommendations to revise the Compliance Supplement 
requirements within 180 days after significant changes in laws or regulations. 


3.1(d) Develop criteria for what should be included in the Compliance Supplement. 
For example, under each of the types of compliance requirements (e.g., eligibility and 
matching), the OMB should establish criteria that can be used to determine what kinds 
of noncompliance could have a material effect on programs. Examples of possible 
criteria are the importance of a particular compliance requirement in meeting a program’s 
Objectives, potential disallowance because of noncompliance, risk of noncompliance, 
complexity of requirements, and prior instances of noncompliance. Specific criteria 
should help make the Compliance Supplement requirements more consistent among 
programs and simplify updates. 


In practice because of the structure and types of requirements included in the Compliance 
Supplement, auditors have interpreted the single audit as requiring two levels of 
compliance reporting for Federal assistance. The levels are an opinion on specific 
compliance and a report on general compliance expressing positive assurance for the 
tested items and negative assurance for untested items. This practice has resulted in 
complex and confusing audit reporting. 


Also, the current reporting may not meet the single audit requirements since 
noncompliance with some general compliance requirements could have a material effect 
on a major program. 


Current Requirements 

The Act requires the auditor to determine and report whether the entity has complied with 
laws and regulations that may have a material effect upon each major program.’ The 
OMB issued the Compliance Supplement that describes the general and specific program 
requirements for the larger Federal programs. The Compliance Supplement helps the 
auditor by identifying the laws and regulations that could be material to a program. 
General requirements are national policies that apply to the assistance programs of one 
or more Federal agencies. Specific requirements apply to individual programs. 


The auditor provides different levels of audit assurance on compliance depending upon 
the classification of general or specific. The higher level, an opinion, is provided on 
specific compliance for major programs." The lower level, a report (based upon 
performing audit procedures listed in the Compliance Supplement) is provided on general 
requirements as applicable for both major and nonmajor programs. 


Responses 


All four groups of respondents (OIG Staff, Auditors, Federal Program Managers, and 
State/Local Managers), either in specific questions or narrative responses, agreed with 


* Single Audit Act, Paragraph 7502(d)(2)(C). 


10 A-128, paragraph 8.b.(2)(b) requires two general requirements, Federal Financial Reports and Amounts 
Claimed or Used for Matching (Allowable Costs/Cost Principles), to be included in the opinion on specific 
compliance. 


31 


the need for simpler and fewer audit reports. Auditors indicated they would expect some 
cost decrease in single audits from simpler and fewer audit reports." 


For Civil Rights and Drug-Free Workplace, all four groups of respondents indicated there 
was a low risk of noncompliance and the audit procedures listed in the Compliance 
Supplement were not effective. There was also high support from all groups of 
respondents to eliminate these two requirements froin single 2udit testing. 


Task Force Analysis 
The current practice to provide two different levels of audit assurance makes the 


compliance reporting complex by having an auditor’s report on general compliance and 
an opinion on specific compliance. 


One reason for the Compliance Supplement grouping between general and specific 
requirements was to reduce repetition in writing the Compliance Supplement. For 
example, the compliance requirements and suggested audit procedures for Federal 
Financial Reports are listed once under general requirements rather than listed repeatedly 
with each program’s specific requirements. The Task Force does not believe the original 
grouping of requirements as either general or specific was intended to affect the level of 
auditor’s work or audit assurances. 


The reason often given by auditors for not being able to give an opinion on all general 
compliance requirements is they cannot give an opinion on two, Civil Rights and Drug- 
Free Workplace. Specific reasons are that noncompliance with these two is not 
quantifiable’? and the Compliance Supplement procedures are not adequate to support 
an opinion on whether the entity complied with civil rights laws or maintained a drug-free 
workplace. The Task Force believes these two requirements could be more effectively 
tested as part of the internal control coverage. 


The Task Force believes the auditor can test the other seven general requirements to the 
opinion level for affected major programs. Specifically, six requirements (Davis-Bacon, 
Relocation Assistance and Real Property Acquisition, Cash Management, Federal 
Financial Reports, Allowable Costs/Cost Principles, and Administrative Requirements) are 
transaction oriented to specific programs and if applicable to a major program can be 
tested to the opinion level. The seventh requirement, Political Activity, could also be 
tested as specific compliance if it were included with Allowable Costs/Cost Principles. 


"' Questions on cost were asked only to Auditors because the Task Force believes that only Auditors would be 
able to accurately estimate cost changes. 


2 AICPA SOP 92-7, Paragraph 4.70. 


32 


Additional support for redefining the way general requirements are handled is when 
general compliance requirements such as Relocation Assistance and Real Property 
Acquisition apply only to nonmajor programs. The Task Force believes it is inconsistent 
to test a general requirement that applies only to a nonmajor program, just because there 
are no major programs with this requirement. 


Recommendations 

The following recommendations should eliminate the need for a report on general 
compliance (See secticn 5.1 on page 58) and improve compliance testing. They will also 
enhance compliance auditing by requiring the auditor to provide a compliance opinion for 
all requirements for which an opinion can be rendered. 


3.2(a) Redefine general and specific compliance requirements as "Programmatic 
Compliance". Programmatic Compliance should include all current specific requirements 
plus general compliance requirements for which the auditor can provide an opinion. 
Also, subrecipient monitoring should be added as discussed in section 3.7 on page 47. 


The recommended definition of Programmatic Compliance should include the following: 
9 Types of Services Allowed or Unallowed (This requirement refers to 


whether the amounts reported as expenditures for a program were for 
services allowed for that program.) 


° Allowable Costs/Cost Principles (This requirement refers to whether the 
amounts reported as Federal expenditures were in accordance with the 
applicable cost principles. This testing should also include Political 
Activity.) 

° Administrative Requirements 

9 Eligibility 

o Matching, Level of Effort, and/or Earmarking (This requirement includes 


determining whether any costs used for matching are in accordance with 
Allowable Costs/Cost Principles.) 


© Special Reporting 
° Federal Financial Reports 


° Cash Management 


33 


° Subrecipient Monitoring (See section 3.7 on page 47). 


° Special Tests and Provisions (including Davis-Bacon and Relocation 
Assistance and Real Property Acquisition). 


(There is not a substantive change for Allowable Costs/Cost Principles and Federal 
Financial Reports because these requirements are currently required to be included 
in the auditor’s opinion on specific compliance. The above items listed in italics 
are currently grouped in the Compliance Supplement as general requirements.) 


3.2(0) Improve the Compliance Supplement guidance on indirect costs. The 
guidance should clarify that indirect costs must be considered as part of the single audit. 
This guidance is necessary because recommendation 3.2(a) replaces general compliance 
requirements” (which were always tested) with Programmatic Compliance (which will 
only be tested for programs tested as major). 


Total indirect costs for all programs may be material to a single major program or total 
Federal financial assistance. Individual indirect costs charges to any one major program 
may not be material to that program; however, indirect costs charged to all programs may 
be as large as the major program dollar threshold. Therefore, more guidance is needed 
on the auditor’s responsibility to test both the indirect cost rate and system. For example, 
the presence of a negotiated indirect cost plan would be one indicator that indirect costs 
should be considered in a single audit. 


3.2(c) Reclassify Civil Rights and Drug-Free Workplace Act from general 
requirements to requirements to be tested as part of internal controls. Implementing 
recommendation 3.2(a) would leave these two general requirements not redefined as 
Programmatic Compliance. The tests for these fit more appropriately with internal 
control tests as discussed in section 3.4 on page 39. 


The Task Force considered narrative comments by some respondents to eliminate testing 
Civil Rights and Drug-Free Workplace from single audits. However, although it is 
inappropriate to include these two requirements in the auditor’s compliance opinion, they 
still are important national issues that can be appropriately considered as part of the single 
audit internal control testing. Also, in the future there may be other national issues that 
cannot be included in the compliance opinion, but still need to be included in the single 
audit. This recommendation provides a method to include future national issues in single 
audits. 


'’ General requirements included indirect costs as part of allowable costs/cost principles. 


34 


. . 
A OUUL SLUG Lite 


Suggested audit procedures listed in the Compliance Supplement for Civil Rights and 
Drug-Free Workplace are not meaningful tests of controls or compliance. The purpose 
of requiring the auditor to test these two requirements is not clear. 


Current Requirements 
Explained with Task Force Analysis below. 


Responses 


For Civil Rights and Drug-Free Workpiace tests, all four groups of respondents (OIG 
Staff, Auditors, Federal Program Managers, and State/Local Managers) indicated a low 
level of effectiveness for the current tests and many respondents recommended 


eliminating them from testing as part of the single audit. 


The Task Force reviewed the current Compliance Supplement steps with a Federal 
agency’s field office for civil rights compliance. Field office staff agreed that the current 
steps would provide only minimum benefit for ensuring compliance with civil rights laws. 


Task Force Analysis 


The purpose of the auditor testing these two requirements and the level of assurance 
required is not clear. It is not practical for the auditor to determine whether an entity 
complied with civil rights laws or has a drug-free workplace. Also, one or more Federal 
organizations could have responsibilities to enforce these requirements. However, the 
a emg ee ptm camel A, ma mam 
audit procedures such as reviewing entity documents and controls or 

certain polices and procedures controls have been established. isoamibaldesaee 


the auditor could report any exceptions found. 


Following are examples of suggested audit procedures in the Compliance Supplem-<nt that 
the Task Force believes are not meaningful audit tests: 


Civil Rights 
Current Requirements 
° Ascertain the number of complaints filed with Federal, State, and/or local 
: ronsible for fiscrimination in 
programs during the fiscal year, the status of unresolved complaints or 
iestions. and the acti nae a orton 
mavestignene = acuons resolved complaints or completed 


° Obtain representation and/or attorney letters to determine if any civil rights 
suits have been adjudicated or are pending. 


Task Force Analysis 


The Task Force does not see practical benefit for the auditor to obtain documents 


and information already filed with the appropriate agency responsible for 
enforcement of civil rights laws. The auditor is rot required to audit this 


already know whether it received the report. 


requirements could more appropriately be handled as part of internal control testing. For 
example, consider the requirements of determining whether there is: 


37 


(Under Civil Rights Requirements) 
- An announced policy of nondiscrimination. 
- A person designated to oversee civil rights compliance. 


(Under Drug-Free Workplace Requirements) 


work in this area should be covered in the internal control report. 


Recommendations 


3.3(a) Determine the purpose for using the single audit to test Civil Rights and 
Drug-Free Workplace. Establishing the purpose or objectives for including these 
requirements in the single audit will is necessary before determining the specific 


identify changes needed to the Compliance Supplement or, alternatively, whether these 
requirements should continue to be included as part of the single audit. This review 
should be done with recommendation 3.4(a) on page 40. 


to the Act or A-128. 


Currently, there is limited guidance in the single audit literature on typical internal 
controls established to ensure compliance with laws and regulations ("Controls Over 
Compliance"). Also, the guidance for these controls needs to be clarified in the 


Compliance Supplement. 


The main purpose of the Compliance Supplement is to provide guidance on testing of 
compliance with laws and regulations. Sometimes Controls Over Compliance are also 
mentioned. Because of the inconsistency of when Controls Over Compliance are 
mentioned, auditors may be confused on their responsibility. For example, an auditor 
may conclude in error that unless requirements to test Controls Over Compliance are 
specifically listed in the Compliance Supplement, it is not necessary to test them. 


Current Requirements 


The auditor is required to test Controls Over Compliance for ail major programs and, 
when required by the 50% rule, for selected nonmajor programs. 


Responses 


Federal agency respondents (Federal Program Managers and OIG Staff) indicated that 
there was a problem with insufficient internal control review and testing. All four groups 
of respondents (OIG Staff, Auditors, Federal Program Managers, and State/Local 
Managers) indicated expected improvements from better Compliance Supplement 
guidance on acceptable internal controls. 


Task Force Analysis 

The Act emphasizes internal controls and requires the auditor to "Determine and report 
whether the government, department, agency, or establishment has internal control 
systems to provide reasonable assurance that it is managing its Federal financial assistance 
programs in compliance with applicable laws and regulations." To meet this requirement, 
both program managers and auditors need guidance on typical or suggested Controls Over 
Compliance. 


The current Compliance Supplement provides only very limited guidance on Controls 
Over Compliance. The suggested audit procedures for some programs in the Compliance 


39 


ce — CCiéeéeéeéé...L_ _ 


Supplement list audit requirements for internal controls'* while others do not specifically 
mention controls. This inconsistency raises the question about whether the auditor’s 
internal control responsibility changes when Controls Over Compliance are specifically 
listed in the Compliance Supplement’s suggested audit procedures. 


The Task Force believes that the Compliance Supplement is a logical place for Federal 
agencies to provide guidance on Controls Over Compliance. This guidance should 
include guidance on appropriate internal controls and typical audit procedures as well as 
guidance on when the auditor is expected to test Controls Over Compliance. 


Recommendations 


3.4(a) Add a new Compliance Supplement section to provide specific guidance on 
typical or suggested Controls Over Compliance. Inquiries should be made of both 
program managers and auditors for examples of Controls Over Compliance that have 
proven to be effective in actual practice. 


This section should include the required internal control considerations for Civil Rights 
and Drug-Free Workplace as discussed in recommendation 3.2(c) on page 34 and section 
3.3 on page 36. 


Also, this new section should provide examples of typical Controis Over Compliance and 
audit procedures for testing the controls. Since internal controls may vary widely among 
entities, these examples should be considered informational only and not required. 
Guidance should be provided for situations unique to both large and small entities. 
Providing typical Controls Over Compliance and audit procedures should serve as a basis 
to improve the auditor’s review and testing of such controls. 


3.4(b) Modify the Compliance Supplement to identify those compliance requirements 
for which Controls Over Compliance should be tested. For some compliance 
requirements there would normally be specific Controls Over Compliance that the auditor 
should test. The Compliance Supplement should be modified to identify and specifically 
require the auditor to test these Controls Over Compliance. 


In other cases, the compliance requirements may be of a nature that it is not practical to 
expect Controls Over Compliance to be tested. For example, a compliance requirement 
to hold a public hearing annually would normally not have internal controls to be tested. 


' For example, the Compliance Supplement for Catalog of Federal Domestic Assistance number 13.600 


provides a suggested audit procedure to "Review and evaluate internal controls designed to ensure expenditures 
are made only for allowable services." 


40 


In such cases, the Compliance Supplement would not include steps to test Controls Over 
Compliance and the auditor would not be required to test these controls. 


If this recommendation is pot implemented, the Compliance Supplement should make 
clear whether performing the internal control audit procedures specified in the 
Compliance Supplement satisfies the auditor’s entire internal control responsibility for the 
program. Also, the Compliance Supplement should clarify that when audit procedures 
relating to Controls Over Compliance are not specified for a program, such procedures 
may still be necessary. 


41 


Currently there is no formal process to inform auditors of compliance requirements which 
Federal agencies believe to have the highest risk of noncompliance. Auditors need this 
information to properly plan and execute the audit and to ensure appropriate audit 
coverage of the areas of greatest risk. 


Current Requirements 
The Compliance Supplement provides the auditor with information on the compliance 
requirements and suggested audit procedures for the larger Federal programs. The 


auditor is responsible for determining the compliance requirements for Federal programs 
not listed in the Compliance Supplement. 


Responses 


All four groups of respondents (OIG Staff, Auditors, Federal Program Managers, and 
State/Local Managers) indicated they would expect a significant improvement in single 
audits from increased Compliance Supplement guidance to identify high risk Federal 
programs and audit areas as well as from issuance of interim risk alerts of potential 
problems. 


Task Force Analysis 

While the Compliance Supplement does identify the compliance requirements that may 
be material to a program, it does not identify whether a particular program or compliance 
requirement has a greater risk. The Task Force believes that there are specific Federal 
programs and compliance requirements that have a higher risk and should receive a 
greater emphasis during audits. Informing the auditor of potential high risk areas allows 
the auditor to more effectively plan the audit and perform internal control and compliance 
tests. 


An example of a higher risk program at the state level is Medicaid. Reasons Medicaid 


is higher risk include: (a) it is a large, growing program that significantly impacts 
recipients’ budgets, (b) the regulations are complex, and (c) the methods of administering 
the program and determining reimbursement vary. 


42 


Examples of high risk areas within Medicaid are: 


° Nursing home reimbursement rates. Even a small error in a daily rate can be 
significant since the total error would be a combination of {the daily rate error} 
X {365 days per year} X {number of patients in nursing homes of the entity}. 


° Eligibility of the provider. If the provider is not eligible then all reimbursement 
requests for that provider are unallowable costs. 


© Edits in Medicaid management information systems. Since the volume of claims 
is high, there is pressure to reduce backlogs of claims by removing system edits. 


By contrast, some programs such as the Social Services Block Grant have a low risk of 
noncompliance because they have simple requirements for eligibility and allowable costs. 


Also, Federal agencies periodically learn of potential problems areas that may be 
pervasive throughout a program, which an auditor should emphasize. These areas may 
be discovered by OIG audits, program reviews, or single audits. Also, changes in laws 
and regulations may change the importance of a particular compliance requirement. 


While audit procedures currently suggested in the Compliance Supplement may address 
the particular compliance area, emphasis may be needed for the auditor to fully 
understand what to look for and the significance of certain types of compliance 
exceptions. 


Recommendations 


3.5(a) Identify Federal programs that are high risk at recipients and subrecipients. 
A method should be developed for Federal agencies to indicate in the Compliance 
Supplement those programs that are higher risk at the recipient and subrecipient level. 
The determination of risk would be based on past problems identified by auditors and 
program officials or inherent weaknesses in the design of the program. 


The auditor should consider these indicators of risk when planning the audit and use 
professional judgment to determine an appropriate audit approach. No special audit 
reporting would be required because a program is listed as high risk. Indicating risk in 
the Compliance Supplement would not change the auditor’s responsibility to test all major 
programs. 

3.5(b) Identify high risk audit areas in Federal programs. A method should be 


developed for Federal agencies to indicate when a particular requirement in the 
Compliance Supplement is high risk and why. This method should include relevant 


43 


information to help in auditing the area. Past problems identified by auditors and 
program officials or inherent weaknesses in the design of the program could be used to 
determine high risk. 


The auditor would be expected to consider whether a compliance area is high risk when 
planning the audit and use professional judgment to determine an appropriate audit 
approach. No special audit reporting would be required because a compliance area is 
listed as high risk. Also, the auditor would still be required to test compliance areas that 
were not identified as high risk. 


3.5(c) Issue interim risk alerts of potential problems. This recommendation would 
provide Federal agencies with a method to promptly communicate potential problem areas 
to auditors along with any relevant information to help in auditing the area. To ensure 
consistency, these risk alerts should be centrally controlled by either the OMB or the 
PCIE. 


Methods for issuing these risk alerts could include using the annual AICPA industry risk 
alerts, issuing annual or semiannual Federal agency risk alerts, and using the Federal 
Register and professional organizations to publicize the availability of these documents. 
Federal agencies could provide more current information with an electronic bulletin board 
for auditors to call into and request or download current risk alerts. 


While the Compliance Supplement lists the larger Federal programs that provide over 
90% of the Federal aid to state and local governments, there are still many programs not 
listed in the supplement. Also, sometimes the auditor needs more specific guidance on 
audit procedures. 


Current Requirements 

For programs listed in the Compliance Supplements (either A-128 or A-133 supplement) 
which have not had subsequent changes in laws or regulations, an audit of the 
requirements in the Compliance Supplement will meet the single audit requirements. If 
there have been changes, then the auditor should follow the provisions of the Compliance 
Supplement as modified by the changes. For programs not listed in the Compliance 
Supplement, the auditor is responsible for determining the compliance requirements. 


Responses 


Federal Program Managers identified insufficient guidance in the Compliance Supplement 
as a significant problem. Federal agency respondents (Federal Program Managers and 
OIG Staff) indicated they would expect improvement in single audits if the Compliance 
Supplement included more programs. 


IPAs and Federal agency respondents indicated they would expect improvement from 
more detailed audit procedures and guidance on extent of audit tests in the Compliance 
Supplement. In narrative responses, Auditors expressed concern that detailed audit 
procedures should not result in increased audit requirements. 


Task Force Analysis 


Including a program in the Compliance Supplement provides specific guidance on the 
compliance requirements to test and the suggested audit procedures. This practice 
benefits the auditor because it is more efficient to have the requirements listed in one 
place than to search program laws, regulations, etc., to determine the requirements. This 
practice also benefits the Federal agencies because they know what requirements auditors 
should have tested. The practice should also help ensure more consistent audits. 


Auditors frequently ask the OIGs what to test when Federal programs are not listed in the 
Compliance Supplement. It would be more efficient if the Compliance Supplement 
described what to do in these cases. 


Recommendations 


3.6(a) Add more programs to the Compliance Supplement. The additional programs 
should be ones that are commonly classified as major. One approach would be to review 
the Schedule of Federal Financial Assistance from states and larger cities and counties 
and add to the Compliance Supplement programs that are classified as major by multiple 
entities. An additional approach would be to sample medium and smaller cities and add 
programs that are often classified as major. 


3.6(b) Provide a generic Compliance Supplement. The Compliance Supplement 
should include procedures to perform when a specific program is not included in the 
Compliance Supplement. This guidance should include how to determine the material 
compliance requirements and audit steps. Even with recommendation 3.6(a) above to add 
more programs, there would still be many programs that cannot be listed in the 
Compliance Supplement. A generic Compliance Supplement would provide a consistent 
methodology for auditors to use in determining and testing the compliance requirements 
for programs not listed. (See Attachment 2, Example of Generic Compliance Supplement, 
on page 106) 


3.6(c) Provide more specific guidance on suggested audit procedures. This guidance 
should include specifics on suggested audit tests (both internal control and compliance), — 
descriptions of likely noncompliance, and examples of typical exceptions. This is not a 
recommendation to include more requirements but to provide better guidance on how to 
audit the current requirements. 


3.7 Subrecipient Monitori 
Concern 


The single audit requirements for the prime recipient’s monitoring of subrecipients need 
to be enhanced. 


Current Requirements 


The auditor is required to examine the recipient’s system for monitoring subrecipients and 
obtaining and acting on subrecipient audit reports. A-128, paragraph 9, provides specific 
requirements for prime recipients that pass funds through to subrecipients. 


When awards to subrecipients are part of major programs (or a nonmajor program used 
to meet the 50% rule), the auditor is required to test the controls the government uses to 
monitor subrecipients.° 


Responses 
This issue was not specifically addressed in the questionnaires. 


Task Force Analysis 


The auditor’s responsibility for subrecipient monitoring is not clear. Subrecipient 
monitoring is not included in the Compliance Supplement as a general or specific 
requirement. Although the auditor is required to test the controls over monitoring 
subrecipients, the extent of the auditor’s tests is not clear. The auditor does not include 
subrecipient monitoring in the compliance opinion. 


The Task Force believes subrecipient monitoring should be added to the Compliance 
important that the auditor should be required to include this requirement with the 
compliance opinion for programs tested as major. 


'S AICPA SOP 92-7, Paragraph 4.22. 
47 


Recommendation 


3.7(a) Include subrecipient monitoring as a requirement in the Compliance 
Supplement." This change will clarify that the auditor needs to test both internal 
controls and compliance for subrecipient monitoring for programs tested as maijor."’ 


Some recipients pass a large part of a major program through to subrecipients. In this 
situation, the major program compliance testing at the recipient will only cover a small 
part of the major program’s funding. Including subrecipient monitoring as a specific 
requirement will improve the audit coverage of funds passed through to subrecipients, 
particularly when large amounts are passed through. 


Testing of subrecipient monitoring should inciude the requirement in recommendation 
9.1(a) on page 90 for the prime recipient to identify the amount and Catalog of Federal 
Domestic Assistance ("CFDA") number of Federal funds passed through. 


‘© Recommendation 3.2(a) on page 33 includes subrecipient monitoring with Programmatic Compliance 
requirements. 


"7 In some cases there may be more than one level of subrecipients. For example, a local government may be 
both a subrecipient of the state and a prime recipient to a housing authority. The housing authority may be 
both a subrecipient of the local government and a prime recipient for another unit of government or a 
not-for-profit entity. This recommendation applies to any prime recipient/subrecipient relationship, without 
regard to the number of levels the federal money was passed through. 


Separate closely-related programs ("Clusters of Programs") may all support the same 
purpose and yet have different CFDA numbers. Although these programs are 
functionally the same and often have similar compliance requirements, they are treated 
as separate programs because they have different CFDA numbers. 


Current Requirements 


All awards under the same CFDA number constitute a program. For awards not assigned 
a CFDA number, all awards made for the same purpose are combined as one program. 


Responses 
This issue was not specifically addressed in the questionnaires. 


Task Force Analysis 


Programs with different CFDA numbers that have the same purpose and are in substance 
one program should be audited as one program under the Act. For example, the National 
School Lunch Program ("NSLP") is CFDA number 10.555, the School Breakfast 
Program ("SBP") is CFDA number 10.553, and U.S. Department of Agriculture Food 
Donation Program (commodities) is CFDA number 10.550. The same application 
qualifies a student under NSLP and SBP. A school operating the NSLP is required to 
accept and use commodities. All three CFDA numbers are components of Federally 
assisted meal service to students, often serve the same individuals, and are normally 
administered together by the school entity. 


The Task Force believes the Compliance Supplement should identify Clusters of 
Programs that should be treated as one program for purposes of having a 
program-specific audit and determining major programs. This identification would give 
auditors a single source for determining whether programs under separate CFDA numbers 
should be grouped as a Cluster of Programs and would also ensure that only related 
programs are so grouped. 


49 


Recommendation 


3.8(a) Allow Federal agencies to designate in the Compliance 

of Programs. Each Cluster of Programs should be treated as one mesee en 
determining whether a program is tested as a major program. Also, a Cluster of 
Programs should be considered as one program for determining whether a 


4 INTERNAL CONTROL AND COMPLIANCE TESTING 


For major programs and nonmajor programs tested under the 50% rule, the extent of 
testing required for internal controls is not clear. Also, Federal agencies are concerned 
that auditors are not testing an adequate number of transactions for compliance. 


Current Requirements 


The Act’* and A-128" require the independent auditor to determine and report on 
whether the organization has internal control systems to provide reasonable assurance that 
it is managing Federal assistance programs in compliance with applicable laws and 
regulations. A-128 specifies that the auditor must test Controls Over Compliance, but 
does not specify the extent of these tests. 


In addition, the auditor is required to determine whether the organization has complied 
with laws and regulations that may have a material effect on each major program. The 
auditor is required to test for compliance a representative number of transactions from 
each major program. The selection and testing are based on the auditor’s professional 
judgment. The extent of testing is required to be sufficient to support the auditor’s 
opinion on compliance. 


Responses 


Federal agency respondents (Federal Prog.an. Managers and OIG Staff) indicated a 
significant problem with insufficient testing (internal control and compliance). By 
contrast, non-Federal respondents (IPAs, State Auditors, and State/Local Managers) did 
not believe testing was insufficient. 


Responses by Auditors to questions on minimum sample size for testing Controls Over 
Compliance and for testing compliance indicated a common minimum sample size of 25 
items.” Almost 60% of the Auditors providing information on minimum sample sizes 


* Single Audit Act, Paragraph 7502. 
® 4-128, Paragraph 8. 


* Questions on sample size were asked only to Auditors because the Task Force believes only Auditors would 
have direct knowledge about sample sizes used. 


$1 


indicated a range of 25 to 30 items. Also, information collected during quality control 
reviews indicated a sample size of 25 items is common. 


The majority (84%) of Auditors indicated that for transaction oriented compliance 
requirements, the total number of transactions normally tested (both internal control and 
compliance) ranged from 25 to 60 items (46% indicated a range of 25 to 30 items). Only 
11% of the auditor respondents indicated they normally used sample sizes of less than 25. 


There was generally strong support from all four groups of respondents (OIG Staff, 

Auditors, Federal Program Managers, and State/Local Managers) to use the Compliance 

Supplement to provide guidance on the extent of audit tests. Similarly, Federal agency 

However, non-Federal respondents, and in particular State Auditors, did not support 
ifyi —— ton 


Task Force Analysis 


The Task Force believes that a primary reason for the difference between Federal and 
non-Federal respondents on the issue of sufficiency of sample size is that Federal 
expectations on the extent of testing are not clear. As to whether there is actually a 
significant problem with insufficient sample sizes, the Task Force believes the data is 
inconclusive. Most respondents indicated minimum and normal sample sizes that the 
Task Force believes are in the low end of the acceptable range, as described further 
below. However, in the Task Force’s view, such small samples would only be acceptable 
when there is a low risk of noncompliance based on current testing of Controls Over 
Compliance and prior audit experience. The Task Force was unsure whether the 
respondents had this type of environment in mind when responding to the sample size 
questions. 


The single audit is for the benefit of the Federal agencies and the Task Force believes 
specific guidance is needed on the amount of testing Federal agencies expect. Below is 
the Task Force’s analysis and recommendations regarding Federal expectations on the 
extent of Controls Over Compliance and compliance testing. 


Testing of Controls Over Compliance 

Since the testing requirements for Controls Over Compliance are not specified, it is not 
clear to the auditor how much testing is required. The required testing of Controls Over 
Compliance is more than the minimum walk-through of transactions done as part of 


gaining an understanding of the internal control structure as required by SAS 55. 
However, it is less than the audit assurances on internal controls under SAS 30 or SSAE 


2.74 Both auditors and Federal agencies need more guidance on the expected testing for 
Controls Over Compliance. The report on internal controls does not make it clear to the 
Federal program manager how much testing was performed. 


From the Federal agency’s perspective, the purpose of the auditor performing tests of 
internal controls is to provide the Federal government with some level of assurance that 
the organization has reasonable internal control systems to: (a) have managed, and (b) 
have the ability to continue to manage, Federal programs in compliance with laws and 
regulations. 


The Federal agencies need assurance that the auditor’s tests will have a reasonable 
Opportunity to detect significant deficiencies in the design or operation of the internal 
control structure that could adversely affect the organization’s ability to administer 
Federal financial assistance according to laws and regulations (reportable conditions). 


A frequent source of guidance used by auditors for sample sizes in single audits is the 
Guide to Audits of Local Governments published by Practioners Publishing Company. 
For attribute sampling of Controls Over Compliance, this pubiication recommends a 
sample size of either 60, 40, or 25, depending upon the planned (or supported) level of 
control risk. 


Testing of Compliance with Laws and Regulations 


Although the auditor is required to perform sufficient tests to support the compliance 
opinion, Federal expectations for single audits are not stated in terms of specific sample 
sizes. One example of Federal expectations for sample size is the U.S. Department of 
Education’s audit guide for Student Financial Assistance programs that requires minimum 
sample sizes in program-specific audits. The minimum for certain compliance areas is 
50 transactions or 25% for populations less than 200. Although not specifically 
applicable to single audits, these requirements do indicate a Federal agency’s 
expectations. 


An indicator of the amount of testing performed is the recommendation by the Practioners 
Publishing Company for compliance sample sizes of either 25 (approximately a 10% 
tolerable error rate and 10% sampling risk) or 60 (approximately 5% tolerable error rate 
and 5% sampling risk) depending upon the auditor’s overall judgment of risk factors from 
A-128, paragraph 8.b.(2). Except for a qualification that a 10% tolerable error rate and 
10% sampling risk are the highest acceptable limits consistent with Federal expectations, 
the Task Force agrees with this guidance. Such high limits (10% tolerable error rate and 
10% sampling risk) and resulting small sample size (25 items) would only be acceptable 


2" In July 1993, Statement on Standards for Attestation Engagements No. 2, Reporting on an Entity’s Internal 
Control Structure Over Financial Reporting, was issued. This statement supersedes SAS 30, Reporting on 
Internal Controls. 


53 


when internal control risk is determined to be low and prior audits have found very little 
noncompliance. 


Recommendations 


4.1(a) Require the auditor to plan the internal control testing to perform sufficient 
tests to support an assessed level of control risk of low for each program tested as 
major. This recommendation would set a minimum level of testing for each compliance 
area as listed in the Compliance Supplement or that otherwise could be material to a 
program tested as major. Auditor judgment would be used to determine the specific 
sample sizes required. Risk factors considered would include the results of prior audits 
concerning the design and operation of the internal controls. 


Implicit in this recommendation is that the auditor would not be expected to test Controls 
Over Compliance that were not effective as discussed in the following recommendation. 


4.1(6) Allow the auditor to not perform internal control testing when internal 
controls are ineffective and to assess the risk at the maximum. It would not be 
appropriate under recommendation 4.1(a) to require testing of internal controls that are 
not effective (e.g., not properly designed) or not working (e.g., the first several 
transactions tested are exceptions and it is not effective to continue testing). In these 
cases the auditor should have a reportable condition or a material weakness. Also, the 
auditor would need to perfrrm alternate procedures to support the opinion on compliance. 


However, if certain internal controls are lacking or ineffective, the auditor should 
consider whether compensating controls exist. For example, just because an entity does 
not have sufficient personnel for appropriate separation of duties, does not mean there are 
not other internal controls that can be tested. 


4.1(c) Indicate the expected sample size for compliance tests in the Compliance 
Supplement’s suggested audit procedures. For example, with a significant compliance 
requirement and populations of 200 or more, the auditor would normally be expected to 
test between 40 and 60 transactions for compliance. However, after a major program has 
been audited for several years, Controls Over Compliance have been found to be effective 
and previous audits have not found compliance deviations, the auditor might decide to 
reduce sample size. 


For example, during the first audit of a program tested as major, the auditor might 
determine that Controls Over Compliance are effective and decide to test 60 transactions 
for compliance. The result may be that there was no more than one deviation. If, during 
the second year there were only minor changes in conditions and the tests indicated the 
controls were still effective, the auditor might decide to only test 40 transactions. The 


54 


result again may be no more than one deviation. Then, in the third year, if conditions 
were the same and internal controls were considered effective, then the auditor may only 
test 25 transactions”. Often the sample size for internal controls will also be tested for 
compliance and can be used to meet the expected sample size for compliance tests. 


The Compliance Supplement guidance on expected sample sizes would need to recognize 
that auditor judgment should always be considered. For example, it may be more 
efficient to stratify samples in some populations because of dollar size or audit risk. 
Also, the Compliance Supplement would need to give Federal expectations for sample 
sizes when transaction volumes are low such as periodic financial or special reports that 
only occur a limited number of times a year. Generic guidance would be needed for 


programs not in the Compliance Supplement. 


These expected sample sizes would apply when in the auditor’s judgment few compliance 
exceptions are expected. However, when exceptions are expected, the auditor would 
normally use a larger sample size to project the upper limit on the dollar amount of 
misstatements. 


22 Generally, sample sizes of less than 25 transactions would not meet Federal expectations unless the population 
sizes were very small. 


55 


The current requirement to test a representative number of transactions from each major 
program can result in inefficient auditing of transactions flowing through a common 
system. 


Current Requirements 
The Act, A-128, and the A-128 Q&A require the auditor to select and test a 


representative number of transactions from each major program when testing 
compliance.” 


Responses 
This issue was not specifically addressed in the questionnaires. 


Task Force Analysis 

The Task Force believes the interpretation to require testing of each major program needs 
to be clarified to recognize that when like transactions are processed under a common 
system of internal controls that the auditor determines to be working, then the sample 
selection need not include transactions from each major program. What is more 
important is to ensure that all the significant internal control systems, including any 
subsystems, are appropriately tested. 


Recommendation 


4.2(a) Recognize benefits provided by a common system of internal controls. When 
major programs share a common system of internal controls over like compliance 
requirements and sufficient transactions are tested for conformity with those requirements, 
then the sample selection need not include transactions from each major program. This 
option would be consistent with testing the indirect cost system instead of testing 
individual expenditures charged by the system to every program. 


® Single Audit Act, Paragraph 7502.(d)(2)(C); A-128, Paragraph 8.b.2; and November 1987 Questions and 
Answers on the Single Audit Provisions of OMB Circular A-128 ("A-128 Q&A"), Question 18. 


This method anticipates the auditor would use procedures such as walking through 
transactions from each major program to ensure that the program’s internal controls are 
appropriately included in the common system. Also, the common system should not have 
Significant deficiencies, or alternatively, the auditor would need to expand testing to 
determine the impact of deficiencies on each major program. 


The auditor should only rely upon the common system for the applicable controls and 
compliance areas tested in that system. Payroll is an example of a common system that 
may be used to process transactions for more than one Federal program. The common 
system may be used to ensure that payroll is correctly computed, is based on proper 
documentation such as time sheets, and is in conformance with the cost principles. An 
auditor could test and rely upon such a system for these compliance elements. However, 
for compliance areas that were not part of the common system such as a program 
limitation on the type and amount of salary payments, the auditor would need to perform 
separate tests beyond the common system. 


Another example would be a test of a common disbursement system. Tests could be 
designed to determine whether there were proper procurement, receipt, and payment for 
goods and services; proper support was maintained; and payments were mathematically 
accurate. However, additional compliance requirements such as eligibility for the service 
or client, use of the expenditure for matching, or an individual program cost limitation 
may not be part of the common system and would need to be tested separately. 


; ss Were een ee hes epee ty Os 


‘AICPA in audit guides However, Federal support for this recommendation may 
be needed in either A-128 or a PCIE ‘Position statement. 


57 


Current reporting practices for single audits result in a complex single audit reporting 
package. It is cumbersome for preparers and confusing to users. 


Current Requirements 
Auditing literature currently requires the auditor to report on the following: 


1. 
2. 


General purpose or basic financial statements ("Financial Statements"). 


Supplemcutary Schedule of Federal Financial Assistance (with the auditor’s 
opinion in relation to the Financial Statements). 


Entity-wide internal control matters based on the auditor’s understanding of the 
internal control structure and the assessment of control risk made as part of the 
financial statement audit. [Government Auditing Standards ("GAS") requirement] 


Internal controls designed to provide reasonable assurance of compliance with laws 
and regulations applicable to Federal awards. [A-128 requirement] 


Compliance that may be material to the Financial Statements. [GAS requirement] 


Compliance with laws and regulations applicable to each major Federal program 
(opinion) and a statement of positive assurance on those items that were tested 
under A-128 for compliance and negative assurance on those items not tested. 


[A-128 requirements} 


In single audit practice, auditors have interpreted these requirements to be met 
with the following three reports: 


a. Report on compliance with general requirements (opinion disclaimer with 
positive/negative assurance). {Applicable for all A-128 single audits} 


b. | Opinion on compliance with specific requirements applicable to each major 
program. The opinion should include whether Federal financial reports and 
Claims for advances and reimbursements contain information supported by 


books and records, and whether amounts claimed or amounts used for 
matching are in accordance with allowable costs/cost principles. 
{Applicable only when there are major programs} 


c. Report on compliance with requirements tested for nonmajor programs 
(opinion disclaimer with positive/negative assurance). {Applicable only 
when nonmajor programs are tested} 


7. Schedule of Reportable Conditions (including material weaknesses) for internal 
control findings and a Schedule of Findings and Questioned Costs for compliance 
findings (if not included in the internal control or compliance reports). 


8. Management letter. 


9. —_ Report of illegal acts. 


Although combining of like reports is permissible, it is discouraged because the resulting 
combined reports are complex. 


Responses 


IPAs indicated 2 significant problem that the internal control and compliance reports were 
confusing. They expected significant improvement and lower costs by simplifying and 
reducing the number of auditor’s reports. 


Task Force Analysis 


The reason for multiple compliance reports is to allow the auditor to provide different 
levels of audit assurance. Different levels are provided based on the class of compliance 
requirements (general or specific) and whether the programs are major or nonmaijor. 
This results in lengthy and confusing reports to precisely describe each level of 
responsibility. 


The Task Force believes the most appropriate way to reduce and simplify the reporting 
is to eliminate the need for providing different levels of assurance. The recommendations 
in section 3.2 on page 31 will redefine general and specific compliance to Programmatic 
Compiiance. This change will eliminate the need for a separate report on general 
compliance. 


Recommendations 2.1(c) and 2.1(d) on page 20 will remove the current requirements to 
audit internal controls and compliance for nonmajor programs. This change will 


59 


eliminate the need for a report on compliance for nonmajor programs since they would 
either be audited as major programs or not be tested. 


Based upon the changes discussed in this section, one compliance report could be issued 
to meet the additional requirements of the single audit. This report would provide an 
opinion on Federal programs tested as major programs. 


The Task Force also believes having two internal control reports is confusing to users. 
Both of the current internal control reports are unnecessarily long due to the inclusion of 
technical jargon. 


Recommendations 


5.1(a) Reduce the number of single audit compliance reports from three to one. As 
discussed in the Task Force analysis, this requires implementing recommendation 2. 1(d) 
on page 20 to remove the requirement to test nonmajor program transactions otherwise 
selected during the audit and the recommendations in section 3.2 on page 31 to revise the 
structure of general and specific compliance. These recommendations will reduce the 
number of reports by eliminating or putting into different categories the underlying work 
on which the reports on general requirements and nonmajor programs are based. Other 
alternatives should be developed for reducing the number of compliance reports if these 
recommendations are not implemented. 


5.1(b) Simplify and explore further reduction in the number of the remaining 
reports. Implementation of recommendation 2.1(c) on page 20 will simplify the internal 
control reporting by dropping the requirement to perform audit procedures with respect 
to internal controls for programs not tested as major. This change will eliminate the need 
to describe such work in the report. Further simplification could be made by eliminating 
unneeded technical jargon. 


The number of reports could be further reduced by consolidating the remaining reports. 
For example, the compliance reports required by A-128 and GAS could be combined into 
a single understandable report. The two internal control reports could also be combined. 
Alternatively, the GAS compliance and internal control reports could be combined into 
a single report as could the A-128 compliance and internal control reports. 


IMPLEMENTATION STRATEGY 


As discussed in recommendation 2.1(d) on page 20, eliminating the requirement to 
test nonmajor program transactions otherwise selected during the audit will 
eliminate the need for a separate report on nonmajor program compliance. The 
implementation strategy for this recommendation on page 21 recommends that the 
OMB and GAO should work with Congress to change the Act to remove this 


requirement. 


Consistent with recommendations in section 3.2 on page 31, the OMB should | 
revise the Compliance Supplement to redefine general and specific compliance into 
reports on general and specific compliance. 
The AICPA and the GAO will need to take the lead with changes to auditing 


standards and other auditing guidance to simplify the reports. Also, State 
Auditors, the PCIE, and program managers will need to provide their support. 


61 


There is no established method for non-Federal auditors to report to Federal agencies 
design problems in Federal programs. Design problems in Federal programs can cause 
inefficiencies in program delivery or difficulty in achieving program objectives. Also, 
program laws and regulations may be written in a way that is difficult or impractical for 
recipients to comply with. These problems can be at the Federal, prime recipient, or 
subrecipient level. 


Current Requirements 


Auditors are required to report internal control and compliance findings applicable to the 
entity audited. There is no requirement or mechanism to report problems related to the 
Federal program itself. 


Responses 
The Task Force did not specifically address this issue in the questionnaires. 


Task Force Analysis 


A significant part of the auditing of Federal programs is performed by non-Federal 
auditors. These auditors see firsthand how Federal programs are administered. Their 
objective assessments made as part of gaining an understanding of and testing internal 
controls often disclose problems in Federal programs. Also, these non-Federal auditors 
are independent of both the Federal program and the state and local governments being 
audited. A process is needed to encourage non-Federal auditors to provide direct 
responses to Federal agencies when they observe problems with the Federal program. 
This process would provide Federal agencies with objective feedback from the service 
delivery level on how to improve their programs. 


Recommendation 


5.2(a) Set up a process for non-Federal auditors to voluntarily report directly to 
Federal agencies when they see problems in Federal programs. The auditor would 
not be expected to expand the audit scope to search for these problems and they would 
not be included in the entity’s single audit report. The reporting could be as simple as 


62 


5.3 Improve Timeliness of Audit Reports 
Concem 


The usefulness of single audit reports is impaired when the reports are received late and 
audit resolution is delayed. 


Current Requirements 


The single audit is required to be completed within 12 months of the end of the entity’s 
fiscal year and the report is required to be submitted within one month after the audit is 
completed. Therefore, an entity has a maximum of 13 months after year end to submit 
the audit report. Both the Clearinghouse and the grantor agencies monitor whether single 
audit reports are submitted by the due dates. 


The Federal Cognizant Agency Audit Organization Guidelines ("Orange Book") issued 
in October 1985 by the PCIE Single Audit Committee provides guidance to the OIGs 
related to cognizance for single audits. This document provides guidance that the OIGs 
should process ("Issue") audit single audit reports within 30 days of receipt unless a 
quality control review is performed, and then within 60 days.“ The OlGs monitor 
themselves to ensure that single audit reports are Issued within the recommended time 
frames. 


OMB Circular A-50 ("A-50") requires Federal agency management to resolve audit 
findings within six months after receipt of the report by the Federal Government.” 
OIGs generally measure compliance with this requirement from the time the OIG Issues 
the report to program managers. The Inspector General Act of 1978, as amended, ("IG 
Act") requires that the OIGs semiannual reports include a summary of each Issued report 
that is over six months old and has not been resolved by Federal agency management.” 


Responses 


Responses on this point were inconclusive. In response to one question Federal Program 
Managers indicated a significant problem with audits completed or submitted too late. 
Other respondents did not consider late reports a problem. In a separate question none 
of the respondents supported shorter due dates for audit reports. 


* Orange Book, IV.B. 
® A-SO, Paragraph 8.a.(2). 
* 1G Act, Section 5(a)(10). 


By contrast, in narrative responses some Federal Program Managers and State/Local 


Managers cited specific concerns that reports reached the program office too late and they 
would prefer a shorter due date for audit reports. 


Task Force Analysis 


The Task Force believes that more timely reporting and audit resolution will make single 
audits more useful. There is substantial compliance by entities in meeting the 13-month 
requirement to complete audits. This is supported by the April 1993 annual report by the 
Clearinghouse to OMB that indicates that for fiscal years ended from December 31, 1990 
through Deceinber 30;-1991, 73% of the entities met the 13-month requirement, 14% 
were only late three months or less, and 13% were late more than three months. Since 
most entities are meeting the current requirements, it is reasonable to expect that the due 
dates could be shorted as a way to improve the timeliness of single audits. 


Also, many state and local governments are already completing the audit of the 
comprehensive annual financial report within six months to participate in the Government 
Finance Officer’s Association Certificate of Excellence Program. At the Federal level, 
the CFOs Act requires Federal agencies to complete their audits within nine months; 
however, the OMB has reduced this time to five months.”” An earlier due date for the 
single audit report is consistent with both of these. 


An area of concern is whether the OIGs are able to process the non-Federal audits and 
Issue the reports within the suggested time. While the Orange Book requires the OIGs 
to Issue reports within 30 days (or 60 days when a QCR is performed), these are only 
recommended time frames subject to available staff resources. Because many 
governments have the same fiscal year end (e.g., June 30 and December 31) and wait 
until the due date before filing, some OIGs receive hundreds of reports within a few 
weeks. It is not possible to process all these reports at once. Also, delays in Issuing 
reports can occur because of the complexities of state-wide and other large government 
audits. 


A review of records kept by one OIG showed that report issuance often took three or 
more months with no QCR and an additional one to three months when a QCR was 
performed. One solution would be to revise the Orange Book requirements to streamline 
the processing by OIGs. 


” OMB Bulletin No. 93-18 (issued June 2, 1993 and effective immediately) establishes March 1 as the due date 
for audited financial statements under the CFOs Act. This is five months after the close of the Federal fiscal 


year. 


65 


Recommendations 


5.3(a) Shorten the due date for single audit reports to seven months. Provide an 
exception of ten months for states and large local governments. This change would 
require smaller entities to complete their audits within six months and states and large 
local governments within nine months. All entities would still have one month after 
completion of the audit to submit the single audit report. 


This change would improve the timeliness of audit information to program managers and 
spread out the processing of reports by Federal agencies with staggered due dates. 
complex and may need more time to complete. Also, since smaller entities are more 
often subrecipients, there would de a greater chance that the subrecipient’s single audit 
is completed before the prime recipient’s audit report is due. 


5.3(b) Update the Orange Book to streamline OIGs’ procedures. The Orange Book 
IMPLEMENTATION STRATEGY 


The OMB can implement recommendation 5.3(a) by changing A-128 to require 
single audit reports to be filed sooner. 


The PCIE should implement recommendation 5.3(b) by revising the Orange Book. 


The auditor tests compliance requirements that could have a material effect on each major 
program. However, the auditor does not report which compliance requirements were 
tested for each major program. 


Current Requirements 


The auditor’s internal control and compliance reports disclose the types of compliance 
requirements tested for all major programs. The disclosure is for the group of major 
programs as a whole and not for individual major programs. For example, if any major 
programs were tested for eligibility, then the report would identify that eligibility was 
tested. However, the report would not identify whether an individual major program was 
tested for eligibility. 


Responses 


Federal agency respondents (Federal Program Managers and OIG Staff) indicated a 
significant problem with audit reports not describing the work performed. By contrast, 
non-Federal respondents (Auditors and State/Local Managers) did not see this as a 
problem. 


Similarly, Federal agency respondents indicated expected improvement from a clearer 
description of the internal controls and compliance requirements tested for major 
programs. Auditors did not support this change. 


The questionnaire asked all groups to evaluate a sample compliance matrix that would 
identify by major program the types of requirements tested. All four groups of 
respondents (OIG Staff, Auditors, Federal Managers, and State/Local Managers) 
indicated support for this additional reporting. OIG Staff, Federal Program Managers, 
and State/Local Managers indicated greater support than Auditors. 


Auditors were asked to estimate the additional costs of completing the matrix to identify 


types of compliance requirements tested for each major program. Most of the Auditors 
responding (64%) estimated the additional cost for the matrix would be 5% or less. 


67 


Task Force Analysis 


The types of compliance requirements tested for individual major programs vary with the 
program and the entity audited. Some compliance requirements may not be the entity’s 
responsibility, e.g., eligibility may be determined by the Federal agency or a recipient 
in the case of a subrecipient. The Task Force believes program managers need more 
detailed information on the types of compliance requirements tested for programs tested 
as major. This disclosure would allow auditors to more clearly indicate the level of 
responsibility taken. 


For major programs listed in a Compliance Supplement, the auditor is expected to test 
(or be able to justify why not tested) the Compliance Supplement requirements. 
Therefore, for these major programs a program manager can review the Compliance 
Supplement and determine which types of compliance requirements should have been 
tested. However, sometimes a compliance requirement may not apply to a particular 
recipient or subrecipient. In this case it will not be clear whether the auditor tested a 
specific type of compliance requirement. 


For major programs not listed in the Compliance Supplement, a program manager can 
only hope the auditor clearly read the grant agreement and program laws and regulations, 
made appropriate inquiries, and tested the same material compliance requirements the 
program manager expected to be tested. In this situation, the program manager cannot 
be sure which types of compliance requirements were tested for a particular major 
program without looking at the auditor’s working papers. 


Recommendation 


5.4(a) Require the auditor’s reports on internal controls and compliance to reference 
a matrix that identifies the types of compliance requirements tested for each program 
tested as major. This reference to the matrix would be instead of the current 
requirement to list the specific requirements in the reports. Preparing the matrix would 
provide program managers a betier understanding of the audit coverage for programs 
tested as major, particularly when the program is not listed in the Compliance 
Supplement. Since the auditor must identify the material compliance requirements to test 
them, listing the types of requirements in a matrix should be little additional effort. See 
Attachment 3 on page 113 for an example of this matrix. 


Also, this recommendation would simplify the auditor’s report on compliance by referring 
to the matrix instead of listing the requirements in the body of the report. 


The Task Force considered whether this matrix would create an expectation that when a 
Federal agency accepted a report, the agency had verified that the types of compliance 


requirements indicated as tested were correct. Since the applicable types of compliance 
requirements may vary among entities, the Task Force concluded that a Federal agency’s 
desk review and report acceptance process cannot be expected to verify the auditor’s 
matrix. Any verification of the matrix by a Federal agency would need to be done as 
part of a quality control review or other monitoring process. 


When single audit reports have many findings, users have difficulty identifying which 
findings are significant because auditors must include all findings of non-compliance in 
their reports. Often findings are so minor that Federal agencies (or recipients in the case 
of subrecipients) would normally not include them in the resolution process or otherwise 
followup. Program managers often spend considerable time identifying the minor 
findings that do not need to be resolved. 


Current Requirements 
The Act requires the auditor’s report on compliance to include a summary of all instances 


of noncompliance, and an identification of total amounts questioned, if any, for each 
Federal assistance award. 


The GAS standards for financial audits specify that all material instances of 
noncompliance related to the entity’s financial statements or the program, award, claim, 
fund, or group of accounts being audited should be reported. Other nonmaterial instances 
of noncompliance need not be disclosed in the compliance report but should be reported 
in a separate communication to the audited entity, preferably in writing. The compliance 
report should reference any separate communications of nonmaterial noncompliance. 


A-133, like GAS, allows nonmaterial findings to be reported separately. However, the 
nonmaterial findings must be in writing and submitted to the Federal agency with the 
audit report. 


Responses 


Federal agency respondents (OIG Staff and Federal Program Managers) and State/Local 
Managers indicated expected improvement from prioritizing the significance of audit 
findings. 


Task Force Analysis 
The Act’s requirement to report a! instances of noncompliance in the auditor’s report on 


compliance is more rigid than the GAS and A-133 requirements that permit the auditor 


to use judgment in whether to include findings in the report. The reporting of all 
instances of noncompliance in the single audit report may serve to dilute the presentation 


70 


of more significant findings. Although Federal agencies may not need detail on minor 
findings, under current practice the auditor is required to fully develop minor findings 
and the entity must include them in the corrective action plan. 


Recommendations 


5.5(a) Permit minor instances of noncompliance to be reported separately in writing. 
This change will focus the user’s attention on the more important findings. Also, if the 
requirements for minor findings are simplified, auditors may be more likely to include 
the reporting elements as specified in GAS when reporting findings of noncompliance. 


5.5(b) Provide guidance on the definition of minor findings and how to report them. 
Guidance is needed on Federal agency expectations for minor findings that do not have 
to be included in the report. Initially minor findings should continue to be reported in 
writing and submitted with the single audit reports. However, guidance on Federal 
agency expectations should allow auditors to exercise judgment and screen minor findings 
to be reported separately. As a result, removing the requirement to send Federal agencies 
minor findings may eventually be possible. 


The table on page 72 provides a recommended approach for reporting findings. It 


includes the concerns in recommendation 5.6(a) on page 74 to provide more guidance on 
the content of audit findings. 


IMPLEMENTATION STRATEGY 


The OMB should work with Congress to amend the Act to authorize OMB to 
ee ne eS et 
noncompliance. 


This will replace the current requirement to report 
noncompliance (See Act ¢ 7502(d)(3) and A-128 Paragraph on 


The OMB, GAO, PCIB, and AICPA should work together to provide guidance for 


71 


CLASSIFICATION AND REPORTING OF COMPLIANCE FINDINGS 


Finding which Federal 
agencies do not need to 
resolve or follow-up. 
Specific guidance is: 

(1) If quantifiable, then likely 
questioned costs” less than 
$2,000 for a single type of 
(2) If not quantifiable, then 
sample error rate not more 
than 2%. 

(3) Fraud or sensitive findings 


Finding fully developed and at a minimum include condition, 
criteria, effect and pertinent views of audited entity officials. 
Other information should be included for the government to 
§ determine the cause in order to take proper corrective action. 


Finding includes the following as necessar:, to present the finding in proper perspective: 


- The size of universe in number of items and dollars. 
- The number and dollar amount of transactions tested. 


- The number and corresponding dollar amount of instances of noncompliance. 
Finding identify program name and CFDA number, grant number, and funding source (Federal 


agency or prime recipient in case of subrecipient). 


Finding included in single audit report. 


Finding may be separately 
communicated but must be 
written and sent to funding 
source. Notice of separate 
reporting should be included 


in compliance report. 


Finding included in corrective action plan ("CAP") and auditor 
must follow up in next audit. 


Finding not required to be in 
CAP and auditor not required 
to follow up unless significant 
or material to current audit 


objectives. 


* Likely questioned costs is the auditor’s best estimate of total costs questioned for a particular type of 


° Compliance exceptions such as abuses by high level officials, health and safety issues, or findings which are 


politically or publicly sensitive would not be considered minor. 
72 


56 | P ‘on of Audit Findi 
Concern 


Findings presented in single audit reporis often do not provide sufficient information for 
program officials to resolve the findings or to determine the significance of 
noncompliance. 


Current Requirements 


The GAS reporting standards for financial audits require auditors to place their findings 
in proper perspective. The extent of noncompliance should be related to the number of 
cases examined to give the reader a basis for judging the prevalence of noncompliance. 
A footnote to these standards clarifies that findings have often been regarded as 
containing the elements of criteria, condition, and effect, plus cause when problems are 
found. Also, the GAS standards require auditors to present findings of noncompliance 
in accordance with the report presentation standards for performance audits. 


A-128 has no specific guidance on the content of findings other than to say the questioned 
costs should be identified for each award. A-133 provides guidance that material findings 
should be presented in proper perspective. They should include the number and dollar 
value of items tested and items in the universe as well as the number and dollar value of 
instances of noncompliance. 


Responses 


Federal agency respondents (Federal Program Managers and OIG Staff) responded that 
there was a problem with audit findings not being informative. This problem was also 
supported in narrative responses from Federal Program Managers who commented 
findings were sketchy or not related to program regulations, the significance of findings 
was not clear, and resolution of insignificant findings was a waste of their time. 


Federal agency respondents indicated they would expect improvement in single audits 
from the audit report providing detailed information on sampling. By contrast, non- 
Federal respondents (IPAs, State Auditors, and State/Local Managers) indicated less 
expected benefit from providing detailed information on sampling. 


Federal Program Managers indicated significant expected improvement if they were 
provided with a report summary on audit scope and results. There was some support for 
this from OIG Staff and State/Local Managers; but little support from Auditors. In 


narrative responses Federal Program Managers indicated that it was often difficult to 
identify the significant audit findings. 


Task Force Analysis 


Most guidance for developing findings in A-128 is based on the GAS requirements 
contained in both the financial and performance auditing standards. Some auditors may 
not recognize the need to look to the GAS performance auditing standards for guidance 
on reporting single audit findings. Also, GAS is currently being revised and the finding 
disclosure requirements may change. The Task Force believes A-128 should clearly 
describe the Federal expectations for single audit findings including disclosures on 


The Task Force agrees that more information is needed to help program managers 
determine the significance of audit findings. Recommendation 5.5(a) on page 71 to 
separately report minor findings would identify the less significant findings. However, 
when there are many findings (e.g., state-wide audits), additional methods are needed to 
highlight the more significant findings. 


Recommendations 


5.6(a) Improve guidance on reporting findings and questioned costs. GAS and A-133 
requirements as well as the information needs of Federal Program Managers should be 
considered in implementing this recommendation. Findings should be presented in proper 
perspective and include information as shown in the table on page 72. Also, more 
specific guidance should be given on when costs should be questioned and how auditors 
should determine the amount of questioned costs. 


5.6(b) When there are many findings and recommendations, encourage the auditor 
to include an executive summary. This executive summary should put the findings in 
perspective. It should help the program managers focus on the overall changes needed 
to improve internal control systems and correct noncompliance with laws and regulations. 
An executive summary should be provided for state-wide and other large entity-wide 
audits with many findings. 


74 


IMPLEMENTATION STRATEGY 


The OMB should consult with the AICPA, GAO, and PCIE and develop a change 
to A-128 to provide specific guidance on the presentation of single audit findings. 

Also, A-128 should be changed to encourage an executive summary when there are 
many findings. 


The OMB should add to the Compliance Supplement guidance on how to determine 
the amount of questioned costs. 


These recommendations do not require changes to the Act. 


75 


5.7 Improve Audit Resolution 
Concern 


Auditors have expressed concerns that the audit resolution process is not timely and lacks 
feedback from Federal agencies on audit resolution. This situation is especially 
bothersome to auditors when they are performing subsequent audits that identify the same 
findings for which audit resolution has not been made or communicated. 


Audit resolution officials have expressed concerns that during resolution entities may 
submit additional documentation that refutes a finding. However, this documentation was 
not provided to the auditor either during or after the single audit. Consequently, the 
resolution official must either be the auditor and verify this documentation or accept 
unaudited documentstion to refute an audit finding. 


Current Requirements 


Federal agencies are required to resolve audit findings affecting their programs within six 
months after receiving the audit report. Resolution of audit findings affecting the 
programs of more than one Federal agency is the responsibility of the cognizant agency. 
The Federal agency should notify the entity audited of its decision on the findings in an 
audit resolution document. The audit resolution actions should be consistent with law, 
regulation, and administrative policy; and include written justification containing, when 
applicable, the legal basis for decisions not agreeing with the audit recommendation.” 


Responses 


The questionnaires did not specifically address the audit resolution process. However, 
Auditor respondents in narrative comments indicated that the resolution of findings was 
aritrary, not documented, not communicated, slow, and was based upon representations 
by management that were not audited or otherwise supported. 


Task Force Analysis 


The Task Force believes that the comments received concerning audit resolution are not 
unique to single audits. However, the apparent lack of good documentation of why a 
finding was not supported and the reasoning behind the nonconcurrence is a valid 


- A-50, Paragraph 8.(6). 


concern. When an auditor reports a finding, the auditor often uses the audit resolution 
document as guidance in performing subsequent audits. 


The Task Force believes that before the entity submits additional documentation for 
consideration during audit resolution, the entity should first have the documentation 
audited by their independent auditor. 


Recommendations 


5.7(a) Provide feedback in the resolution documents to help auditors understand 
why findings were not sustained. This procedure will help educate auditors by pointing 


out where they may have misunderstood compliance requirements or the type of 
information needed to resolve findings. Audit resolution officials should be specific when 
findings are not supported, particularly when it is because auditors did not provide 
sufficient information. As part of the normal followup on prior findings, the auditor 
should review the audit resolution documents Federal agencies provide to the audited 
entity. 


5.7(b) When the entity wishes additional documentation to be considered in audit 
resolution, the entity must arrange to have this documentation audited. This change 
will ensure that the additional documentation is subjected to the same level of review as 
if it had been available during the original audit. The entity should coordinate with the 
Federal agency to ensure that the planned additional work will meet the Federal agency 
needs to resolve the finding. 


Since sufficient documentation should have been available at the time of the audit, this 
should not be considered additional audit work for which the Federal agency is 
responsible. This additional work is not part of the single audit and may result in 
additional audit costs. Therefore, the entity will need to make appropriate arrangements 
with their IPA. 


IMPLEMENTATION STRATEGY 


The OMB should implement these recommendations with changes to A-5SO and 


A-128. 
These recommendations do not require changes to the Act. 


5.8 Improve Audit Followup 
Concem 


To ensure that corrective action has occurred, program managers rely on the audited 
entity’s management to report the status of prior year findings in the corrective action 
plan. Program managers also rely on auditor’s followup and their own monitoring. 
However, management’s reporting on the status of prior year findings is performed after 
the auditor’s followup and the entity’s followup report (in the corrective action plan) is 
not reviewed by the auditor. Also, the auditor’s followup does not include all findings 
since the auditor is only required to followup on findings that are material or significant 
to the current audit objectives. 


The reporting by entity management and the auditor provide only limited assurance 
because they only report when corrective action has pot occurred. Therefore the program 
manager must rely on an assumption that if the finding is pot listed in a subsequent report 
that corrective action must have occurred rather than positive assurance that corrective 


Current Requirements 


As part of due professional care, GAS requires the auditor to followup on known findings 
and recommendations from previous audits that could have an effect on the current audit 
objectives to determine whether prompt and appropriate corrective action has been taken 
by entity officials or other appropriate organizations. Also, the auditor's report is 
required to disclose the status of known but uncorrected significant or material findings 
and recommendations from prior audits that affect the current audit objectives. The 
reporting on prior year findings is usually an exception report when corrective action has 
not occurred. 


The entity is required to provide a corrective action plan that includes a plan for 
corrective action on current year findings and comments on the status of corrective action 


taken on prior findings. This status on prior year findings is usually an exception report 
when corrective action has not occurred. 


Responses 
This issue was not specifically addressed in the questionnaires. 


Task Force Analysis 


Program managers review the auditor’s reports and the entity’s corrective action plan and 
render a decision describing the corrective action the entity needs to take (often called a 
program determination letter or management decision). 


The auditor must followup on prior findings that could affect current audit objectives to 
determine whether corrective action has been taken. However, if the program is 
nonmajor in the next year, it most likely would not affect current year audit objectives 
and the auditor would not be required to followup. 


The Task Force believes that if a finding is significant enough to be included in Federal 
audit resolution and the Federal agency includes the finding in a program determination 


letter to the entity, then the entity’s auditor should followup in the next audit, regardless 
of whether the finding affects current year audit objectives. 


Under current requirements, management’s reporting on prior year findings (in the 
corrective action plan) is not until after the auditor’s report is issued. Also, the auditor 
is not required to review management's report of the status of prior year findings. The 
Task Force is concerned that since the auditor reports on prior year findings before 
management, management may often rely on the auditor for followup. 


The Task Force believes that if management performed their followup and reporting first, 
Lianagement would become more directly involved in ensuring that corrective action was 
taken. Also, it would benefit the auditor to have management's representation on the 
status of prior year findings before reporting on them. Therefore, the Task Force 
believes the entity’s followup report should be prepared before the auditor's followup. 


An auditor’s review of management’s report on prior findings would provide additional 
assurance to program managers on the status of prior finding. Since auditors are already 
required to followup on prior period recommendations, additional audit field work should 


not be required to report on management's representation of the status of prior findings. 


Recommendations 


5.8(a) Require management to include an assertion on the status of prior findings 
with the single audit report. This assertion should include all findings in the prior year 
audit report and any uncorrected findings from audits before the prior year for which a 
separately reported under recommendation 5.5(a) on page 71 would be excluded from this 
reporting. 


When corrective action has been taken, the reporting would not need to list each 
individual finding but could he a summary reporting with specific reference to which 
findings were fully corrected. When findings are not corrected or only partially 
corrected, the entity should specifically reference the finding and describe planned 


the reasons for this position should be described. 
5.8(b) Require the auditor to attest to the accuracy of management’s assertiun of the 


status of prior findings. This procedure should provide Federal program managers 
assurances on whether the status of prior findings is accurately reported. 


IMPLEMENTATION STRATEGY 


The OMB should work with the AICPA and GAO to implement these 
recommendations. Changes will need to be made to A-128 (and possibly the Act) 


to require this reporting. AICPA guidance will be needed on management’s 
assertion of the status of prior year findings and the auditor’s attestation. A‘so, the 
followup on findings should to be consistent wit the GAO audit resolution 
standard. Program managers will need to be consulted to ensure that the fo lowup 
reporting meet iheir needs. 


6 LARGE ENTITY-WIDE AUDITS 


A major program can be administered by more than one agency, department, or 
establishment ("Multiple Operating Units") within a large entity (e.g., state-wide audits, 
State university systems, or large local governments). Concerns have been expressed 
about how many Multiple Operating Units must be audited for internal control and 
compliance to provide adequate coverage for an individual major program. 


For example, in current practice it is not clear whether the auditor should examine the 
internal control system and test compliance with laws and regulations at each operating 
unit or whether the auditor may omit testing at some operating units based on materiality. 
Sometimes the part of a program at one operating unit could be large enough to be a 
major program by itself. 


Current Requirements 
The auditor is required to consider the internal control structure, policies, and procedures 
of each separate component of a multiple operating unit.”! 


Responses 


Federal agency respondents (Federal Program Managers and OIG Staff) expressed 
concern that entity-wide audits were too large. However, non-Federal respondents 
(Auditors and State/Local Managers), and in particular State Auditors, did not share this 
concern. 


In narrative responses, Federal Program Managers and State/Local Managers expressed 
some dissatisfaction with the single audits of larger governmental units. 
Task Force Analysis 


Large entity-wide audits often include a major program that is administered by Multiple 
Operating Units. Examples are student financial aid programs such as Perkins Loans, 


** AICPA SOP 92-7, Paragraph 4.12. 


81 


Guaranteed Student Loans, College Work Study, and Pell Grants that are often major 
programs for the audit of the state but are administered by individual colleges. In this 
example, each college may have a completely separate internal control system. The 
auditor’s gaining an undezstanding and testing cne college’s system provide no 
information about another college’s system. 


In practice, on a case by case basis, OlGs have permitted entities to not visit each 
operating unit each year. Consistent guidance is needed on how to audit a major program 
that is administered by Multiple Operating Units. The Task Force believes that the 
concerns of Federal officials could be addressed by better guidance on required audit 
coverage when a major program is administered by more than one operating unit. 


Recommendations 


6.1(a) Provide guidance on how much of a major program must be tested each year. 
At least once every three years”, the auditor should test internal controls and 
compliance for each operating unit administering the major program. An exception 
would be when a particular operating unit administered clearly insignificant parts of a 
major program. 


In any one year, the internal control and compliance review in accordance with A-128, 
paragraphs 8.a and 8.b ("Full Review") should be performed at operating units that 
administer at least 70% of expenditures for a particular major program. For the 
remaining operating units, the auditor should perform a followup on all prior findings that 
have not been corrected. When proper corrective action has pot been taken on prior 
findings (either internal controls or compliance) and these findings are significant to the 
individual operating unit’s share of a major program, the operating unit should be 
included in the Full Review. 


6.1(0) Provide guidance on the materiality base for audit planning and reporting. 
When planning the audit and reporting internal control and compiiance findings, the 
auditor should base materiality relative to the respective individual operating unit. 
However, when providing the opinion on compliance, the auditor should base materiality 
on the whole major program. 


* At least once every three years is interpreted .o mean that the operating unit would not go unaudited, for this 
purpose, for more than two consecutive years. 


82 


For example, a student financial aid program ("SFA") was a major program in a state- 
wide audit and was split as follows among six colleges: 


College A 35% 
CollegeB 30% 
CollegeC 15% 
CollegeD 10% 
CollegeeE 5% 
College F 5% 
Total 100% 


In a given year the auditor chose Colleges A, B, and F to meet the 70% requirement for 
testing as discussed in recommendation 6.1(a) above. When planning the audit for 
College F, the auditor would base materiality relative to the 5% of the major program 
administered by College F and not relative to the whole major program administered by 


all operating units. 

Internal control findings at College F would be considered reportable conditions (or 
material weaknesses) based on the effect on College F although they may not be material 
to the SFA program state-wide. The reporting of findings should provide information to 
put them in perspective for both the particular college SFA program as well as the SFA 
program state-wide. 


Similarly, questioned costs and noncompliance would be reported based on materiality 
to College F, with information to put them in perspective for both College F as well as 
the SFA program state-wide. The single audit opinion on compliance for the SFA 
program would not be modified unless the exceptions from all operating units were 
material to the program state-wide. 


The OMB should work with the AICPA and the PCIE to implement this change. 
These changes could be made in either A-128, a PCIE position statement, or 
AICPA audit guidance. 


These recommendations do not require changes to the Act. 


83 


7 SUBRECIPIENT AUDITS 


7.1 Quality of Subrecipient Audi 
Concer 
There is a need to ensure that subrecipient audits meet the required standards. 


Current Requirements 
A-128 paragraph 9.a requires recipients to determine whether state or local subrecipients 
have met the audit requirements of this circular. 


Responses” 


OIG Staff indicated significant support for QCRs of subrecipient audits. Other 
respondents (Auditors and State/Local Managers) indicated lesser support. 


Auditors were asked to estimate the increase to single audit costs for this enhancement. 
They responded with an expected 10% to 25% cost increase if recipients were required 
to perform QCRs on subrecipients. 


Task Force Analysis 
A-128 does not specifically require recipients to perform QCRs of subrecipient audits. 
However, prime recipients are expected to estabiish a system to assure that audits of the 


subrecipients meet the requirements of A-128. Such a system should include a desk 
review of each subrecipient report to ensure it conforms to A-128. 


Recipients are charged with the responsibility to ensure that subrecipients expend Federal 
funds in accordance with laws and regulations. As such, recipients are to monitor 
subrecipients to ensure compliance. One form of monitoring is to rely on subrecipient 
audits. 


Besides performing a desk review of subrecipient audits to ensure that the audits meet 
A-128 reporting requirements,” recipients may nevd to determine whether underlying 


> These questions were not asked to Federal program managers because they do not deal directly with 


* OMB A-128 Q&A, Question 23. 


audit work conducted for subrecipient audits meets GAS and A-128 or A-133 
requirements, as applicable. This procedure is essential in instances where subrecipient 
audits are material to a major Federal program of the recipient. 


The GAO and OIGs have identified problems with the quality of single audits. The 
deficiencies cited have related to both single audit field work and reporting. When 
recipient monitoring identifies inconsistencies with subrecipient audit results, the recipient 
should consider conducting a QCR of the subrecipient audit. Recipients having internal 
auditors or other qualified personnel on staff probably could carry out this quality review 
function themselves. Other recipients may need to obtain assistance to perform a QCR 
from such sources as the recipient’s IPA, another IPA, or their state auditor. 


The recipient should advise the subrecipient’s auditor when an audit does not meet 
applicable audit requirements. In this instance, the subrecipient’s auditor should be 
expected to take corrective action. If corrective action is not taken, the recipient should 
inform the subrecipient of the auditor’s failure to correct the audit deficiencies. The 
recipient should ensure that any major inadequacies or repetitive substandard performance 
of an indenendent auditor is referred to appropriate professional bodies for possible 
disciplinary action. 


Recommendation 


7.1(a) Clarify the recipient’s responsibility to review subrecipient audit reports to 
determine whether they meet applicable audit requirements. At a minimum the 
recipient should perform a sufficient desk review to determine whether the audit report 
submitted by the subrecipient appears on its face to be a valid single audit report. 
However, when subrecipient audits are material to a major Federal program of the 
recipient, the recipient should consider using procedures such as conducting a QCR to 
confirm the quality of the subrecipient audit. 


Modifications may be needed in cases such as when a state auditor audits both the state 
and the state’s subrecipients or a subrecipient’s audit is reviewed by a Federal agency. 
It may not be necessary for the state to desk review their state auditor’s reports or 
consider performing a QCR. When a subrecipient is also a prime recipient with an 
assigned cognizant agency, the recipient should consider relying on the desk review and 
QCF. process of the OIGs. 


The need to consider performing a QCR is especially important when subrecipient audit 
reports sh Czpartures from applicable audit requirements or the recipient finds 
inconsisten:.<s between the results of its own monitoring and the results of the 


*® €se footnote 17 on page 48. 


85 


subrecipient audit. For example, a monitoring visit by the recipient may show that the 
subrecipient does not have a system or records to support determining eligibility. If a 
subrecipient audit for this period did not show any problems with eligibility, then the 
recipient may have a good reason to perform a QCR on the subrecipient’s audit. 


IMPLEMENTATION STRATEGY 


The OMB should implement these recommendations with changes to A-128 or the 


Common Rule. The PCIE should assist in these changes to ensure coordination 


These recommendations do not require a change to the Act. 


8 AUDIT COGNIZANCE 


8.1 Regularly Evaluate and Update Cognizance 


Cognizance is not regularly evaluated and updated and sometimes not assigned to the 
Federal agency with the greatest interest in the entity. 


Current Requirements 


The cognizant agency is the Federal agency assigned by the OMB to serve as the primary 
single audit contact to an entity.” The last complete assignment of cognizant agencies 
was made in January 1986. In this assignment, the same agency was assigned cognizance 
for both the indirect cost plan and the single audit. 


Responses 


OIG Staff respondents indicated a problem with cognizance being improperly assigned 
because funding levels changed or because there was large indirect funding but no direct 


funding.” 


Task Force Analysis 


The cognizance assignments were made considering the amount of funding to the entity 
and the need to divide work loads among the OlGs. Also, since the cognizance 
assignment was for both indirect cost plans and single audits, some entities were assigned 
to the Federal agencies because of indirect cost experience rather than the amount of 
direct funding provided. 


There has only been limited reassignment of cognizance since 1986, usually because of 
a state changing from a department by department audit to a state-wide audit. Since the 
amount and source of Federal funding to an entity can change, the assignment of single 
audit cognizance needs to be reviewed periodically to ensure that the Federal agency 
assigned cognizance provides a significant amount of direct funding. 


* A-128, Paragraphs Sa and 11. 
” Cognizance questions were asked only to OIG Staff. 
87 


Recommendations 


8.1(a) Review assignment of cognizance every three years. Changes should be made 
to ensure that the cognizant agency has an interest in the entity. However, when the 
current cognizant has significant direct funding, continuity of cognizance is desirable. 
The OMB should consider delegating staff work related to the reassignment to the PCIE 
(similar to the procedure discussed for update of the Compliance Supplement in 
recommendation 3.1(b) on page 29). 


8.1(6) Set up a process for the cognizant agency and another Federal funding agency 
to have cognizance changed for good reason. An example of a good reason would be 
when the current cognizant agency’s funding to an entity falls significantly below another 
Federal agency’s funding. The current cognizant agency and the Federal agency with the 
most (or significant) funding could present a joint request to OMB for a cognizance 
reassignment. This procedure would help ensure that cognizance is assigned to a Federal 
agency with an interest in performing the cognizant agency responsibilities. 


8.1(c) Base cognizant assiguments primarily on the extent of direct funding. Making 
assignments based on direct funding will increase the level of cognizant agency interest 
in effectively carrying out the cognizant agency responsibilities. The Clearinghouse can 
be used as a resource for obtaining information about levels of funding to specific 


8.1(d) Clarify that cognizance for single audit and indirect cost rates need not be the 
same. This procedure would help ensure the Federal agency assigned single audit 
cognizance had interest in the organization’s single audit. 


IMPLEMENTATION STRATEGY 
The OMB should implement these recommendations by revising the system used to 
assign cognizance, reviewing cognizance assiguments, and making reassignments 
as necessary. The PCIE should provide any requested assistance. 


These recommendations do not 3 to the Act or A-128. 


iTS a C. ' 


Federal funds are not properly identified to recipients and subrecipients. 


Current Requirements 


There are no specific requirements in A-128 relating to identifying Fedcral funds. By 
contrast, the Attachment to A-133 provides the following guidance: 


Paragraph 1.¢.(4) 

The granting agency is responsible for identifying the source of funds awarded to 
recipients; the recipient is respons*>le for identifying the source of funds awarded 
to subrecipients. 


Paragraph 13.¢.(2) 
To assist recipients in identifying Federal awards, Federal agencies and primary 
recipients shall provide the Catalog of Federal Domestic Assistance (CFDA) 
numbers to the recipients when making the awards. 


Responses 


OIG Staff, Auditors, and State/Local Managers expected improvement from requiring 
Federal agencies to identify the amount, CFDA number, :nd program n#~ for Federal 
financial assistance provided to prime recipients. They also expected improvement from 
requiring prime recipients to identify this information for subrecipients. 


In narrative responses, Small Government Managers indicated a significant problem when 
the CFDA number was not provided for Federal funds passed through to them. 

Task Force Analysis 

CFDA numbers are sometimes not provided by Federal agencies to the recipients or by 


prime recipients to subrecipients. Prime recipients often commingle Federal and non- 
Federal funding passed through to subrecipients. Also, Federal funds are often renamed 


or abbreviated when passed through to subrecipients. These items cause confusion to the 


As Federal agencies provide funding to recipients or as prime recipients pass through 
Federal funds to subrecipients, each step of the process should clearly identify the original 
source of all funding. If state or local funds are combined with Federal assistance, prime 
recipients should clearly identify the Federal part. This procedure is necessary for the 
entity to ensure compliance with laws and regulations as well as to complete the Schedule 
of Federal Financial Assistance. 


9.1(a) Require identification of Federal funds awarded to recipients or passed 
through to subrecipients.” Federal agencies awarding funds to recipients and prime 
recipients passing Federal funds through to subrecipients should identify the Federal 
amount, CFDA number, and program name. The testing 07 subrecipient monitoring, (see 
recommendation 3.7(a) on page 48) should include a requirement thai the auditor of the 
prime recipient test whether proper identification of Federal funds is made to 


IMPLEMENTATION STRATEGY 


The OMB should implement this recommendation with changes to A-102 or the 
Common Rule to require Federal agencies and prime recipients to clearly identify 
the amount, CFDA number, and program name for funds passed through to 
Subrecipients. 


This recommendation does not require a change to the Act. 


* See footnote 17 on page 48. 


9.2 Changes to be Consistent with A-133 
Concer 


The differences between A-128 and A-133 should be limited to those necessary because 
of the differences between governmental and not-for-profit organizations. 


As necessary, requirements are presented with each recommendation. 


The Task Force did not specifically address these issues in the questionnaires. However, 
all four croups of respondents (OIG Staff, Auditors, Federal Program Managers, and 
State/Local Managers) in narrative responses generally indicated satisfaction with the 
single audit enhancements made in A-133 and supported consistency between the two 
circulars. 


Task Force Analysis 


The guidance given in A-133 was developed based on the experience gained from single 
audits of state and local governments under the Act and A-128. The recommended 
changes will make single audits easier to understand and administer by limiting 
differences to those necessary because of the differences between governmental and 
not-for-profit organizations. 


Recommendations 


9.2(a) Use the term Awards and include Federal cost-type contracts with single 
audits. Currently the Act and A-128 do not include cost-type contracts. Cost-type 
contracts need to be audited and the most efficient approach is to include them as part of 
the single audit. A-133 uses the term Award and defines awards as including both 
Federal financial assistance and cost-type contracts. 


A governmental institution of higher education can be audited under either A-128 or 


A-133. Therefore, for cimsistency, A-128 needs to use the term Awards and include 
cost-type contracts to provide the same audit coverage as A-133 does. This change will 


91 


also change the name of the Schedule of Federal Financial Assistance in A-128 audits to 
the same name used in A-133 audits, Schedule of Federal Awards. 


9.2(b) Define R&D and SFA as separate programs. Under A-133 the sum of 
expenditures from research and development ("R&D") awards and the sum of 
expenditures from student financial aid ("SFA") awards are each considered a program. 
However, the various awards comprising the two programs may have different 


A governmental institution of higher education can be audited under either A-128 or 
A-133. Therefore, for consistency A-128 should define R&D and SFA the same way as 
A-133. 


Defining R&!) and SFA categories as separate programs requires that guidance be given 
on how they will be presented in the Schedule of Federal Awards. The Task Force 
recommends reporting each individual award as a separate line on the schedule whenever 
practical as recommended in the Questions and Answers on OMB Circular A-133, Audits 
of Institutions of Higher Education and Other Nonprofit Institutions ("A-133 Q&A"), 
question number 29. 


Also, guidance will need to be given on when a program-specific audit can be performed 
on R&D and SFA. This guidance should be consistent with A-133 Q&A, question 
number 10. 


9.2(c) Determine the oversight agency based on the predominant amount of direct 
funding rather than total funding. Under A-133 oversight is determined based on 
direct funding. The Federal agency that awards the predominant amount of direct 
funding is most affected by the entity’s management of Federal programs. Where there 
is no direct funding, it would be appropriate for the Federal agency with the predominant 
indirect funding to assume general oversight. 


9.2(d) Enhance the concept of an oversight agency to allow such agencies to assume 
the responsibilities normally performed by a cognizant agency. Under A-133 the 
concept of oversight was more clearly defined than it was in A-128 and the oversight 
agency was permitted to assume all or some of the responsibilities normally performed 
by the cognizant agency. Although OMB A-128 Q&A, question number 48, provides 
guidance in this area, A-128 should be changed to enhance the concept of oversight 
agency. 


9.2(e) Update single audit guidance for current terminology. The Act, A-128, and 
A-133 use different terms to describe the same concepts. Unless there are specific 
differences between governmental and not-for-profit organizations, the same terms should 
be used. Also, some terms in A-128 are not the current terms used in auditing standards. 


92 


Examples of changes needed are the terminology related to the audit resolution process 
and the consideration of the internal control structure. 


9.2(f) Clarify that procurement contracts are not included as Federal awards. 
A-133 clarified that procurement contracts to vendors under grants or contracts, used to 
buy goods or services are not awards. Although the A-128 Q&A, question number 26, 
provides guidance in this area, A-128 should be changed to clearly indicate that 
procurement contracts should not be considered awards. 


9.2(g) Clarify auditor’s compliance responsibility for vendors. Some transactions 
may be structured such that the vendor is responsible for compliance or the vendor's 
records must be reviewed to determine compliance. A-133 Q&A, questions number 57 
and 58, clarified that a not-for-profit is responsible for ensuring compliance for these 
vendor transactions and the not-for-profit’s auditor is responsible for determining 
compliance for applicable vendor transactions. A similar clarification is needed for 
entities under A-128. 


IMPLEMENTATION STRATEGY 


The OMB should take the lead in implementing these recommendations with 


changes as neceasary to the Act, A-128, the Compliance Supplement, etc. 
Changes may also be needed to AICPA and PCIE guidance. 


Consideration should be given to combining A-128 and A-133 into a single revised 
circular. 


Besides the formal Federa! single audit guidance, e.g., the Act and A-128, additional 
guidance is provided by the A-128 Q&A; PCIE Position Statements; AICPA Statements 
on Auditing Standards, audit guides, and Statements of Position; and single audit practice. 
Often the additional guidance provides clarification for issues not specifically addressed 
in the original guidance. The more significant issues should be included in the Act or 
A-128. 


Current Requirements 
As necessary, requirements are presented with each recommendation. 


Responses 
The Task Force did not specifically address these issues in the questionnaires. 


Task Force Analysis 
This section does not change the way single audits are being performed but clarifies and 
supports current guidance and practice. 


Recommendations 


9.3(a) Provide more guidance on program-specific audits. The Act and A-128 permit 
program-specific audits but do not define them or provide guidance on performing or 
reporting for them. For a few programs, OlGs have prepared program-specific audit 
guides. However, for most programs a current program-specific audit guide is not 
available. Also, there is limited AICPA guidance on program-specific audits. 


Program-specific audits should be performed in accordance with GAS. The reporting 
should include an opinion on the financial statements of the program, a report on the 
program’s internal controls, and a report on program compliance with laws and 
regulations. A schedule of findings and questioned costs, management letter, and report 
on illegal acts may also be required when applicable. 


Guidance should also be provided on the form and content of financial statements in a 
program-specific audit. Examples of specific issues are whether to include program 
income, matching funds, require a balance sheet, or use cash basis accounting. 


When there is no audit guide and a program is listed in a Compliance Supplement, the 
auditor should consider the Compliance Supplement steps in the program-specific audit. 


9.3(b) Clarify that the auditor’s responsibility for auditing Federal program income 
is the same as the responsibility for auditing Federal awards. The Act and A-128 do 
not clearly define the auditor’s responsibility for Federal program income. These 
documents should clarify that the auditor is responsible for testing internal controls and 
compliance for program income the same as for program expenditures. The Compliance 
Supplement should identify the sources of income normally associated with a program and 
provide suggested audit procedures. 


9.3(c) Clarify the basis for determining awards received. Generally the definition of 
receipt of Federal awards should be based on how an organization recognizes and reports 
its revenue. However, specific guidance is needed for unique circumstances such as loan 
programs, loan guarantee programs for both lending institutions and other non-lending 
program participants, one time loans or loan guarantees without continuing compliance 
requirements other than repayment, non-cash awards such as food stamps and surplus 
property, and endowment funds. Some guidance has been provided in the A-128 
Q&A”, A-133 Q&A, and responses by OIGs to specific inquiries. 


The Task Force believes there is now sufficient experience with single audits to include 
in A-128 the basis for determining awards received. For example, A-128 should define 
the basis for awards received in determining when an audit is required, in determining 
major programs, and for reporting in the Schedule of Federal Financial Assistance. 


9.3(d) Require the single audit reports to identify programs tested as major. AICPA 
SOP 92-7, paragraph 3.13 requires auditors to identify which Federal programs are major 
programs. However, A-128 does not require the identification of major programs. Also, 
if recommendations 2.1(a) on page 19, recommendation 2.1(b) on page 20, and 2.2(a) 
on page 24 are accepted, the report will need to specifically identify nonmajor programs 
tested as major based on the 50% rule, selection by Federal agencies, and a risk-based 
selection. Since users of single audit reports need to know which programs were tested 
as major, A-128 should include this requirement. 


9.3(e) Clarify that subrecipients should only send single audit reports to 
organizations directly awarding Federal funds to the entity. For example, a 


* Questions 8 and 33. 
Questions 7, 26, 27, and 29. 


subrecipient should send the audit report to the prime recipient providing funds but not 
to the Federal agency indirectly providing the award unless the Federal agency 
specifically requested the report. Entities that are both recipients and subrecipients should 
submit reports to the Federal agencies providing direct funding and to each prime 
recipients passing through Federal funds. 


This recommendation does not change the requirement that entities send their reports to 
the Clearinghouse or the specifically designated cognizant agency. 


9.3(f) Clarify that the auditor is required to issue an opinion on compliance for each 
major program. A-133, paragraph 15.c.(3), clearly states that an opinion is required 
on each major program. Although the language in A-128 has been interpreted to require 
an opinion on major program compliance, A-128 should include specific language 
requiring the compliance opinion. 


9.3(g) Clarify entities and sources of funding covered by the single audit. Since the 
passage of the Act certain Federally funded entities have held that they are not bound by 
its requirements. Such entities include the Legal Services Corporation, the Public 
Broadcasting Corporation, the Department of Defense for National Guard funds and 
Indian organizations receiving funds under the Indian Self-Determination Act. Also, 
clarification is needed for such payments as settlement of purported overcharges by 
petroleum marketing organizations, passenger facility charges assessed by airports, 
payments-in-lieu of taxes, and forfeited assets from drug seizures. It should be clarified 
whether entities and payments such as these should be included under the single audit. 


9.3(h) Clarify that entities audited under A-128 must follow the administrative 
requirements and cost principles applicable to the type of entity being audited. For 
example, A-128 only mentions the state and local government guidance (OMB Circulars 
A-102 and A-87). A governmental institution of higher education is under OMB 
Circulars A-110 and A-21 for administrative requirements and cost principles, but can 
be audited under A-128 as part of a state or local government. Since A-128 fails to list 
the guidance for institutions of higher education, some auditors have tried to apply 
guidance applicable to state and local governments to institutions of higher education. 


9.3(i) Clarify that the definition of the entity should be the same for the financial 
statements and the single audit. The Act requires an audit of the entire operations of 
a state or local government, or at the option of the government the audit may cover 
departments, agencies, or establishments. The Act requires the auditor to issue an 
opinion on the financial statements of the entity being audited. PCIE Statement No. 1 
was issued to clarify that if the audited entity was a department, agency, or establishment 
the financial statements to be audited were of the same department, agency, or 
establishment and not the government as a whole. 


An exception to this is when a component unit has its own financial statements and single 
audit as well as being included as a part of larger entity-wide financial statements. The 
entity-wide single audit may exclude a component unit that has both its own financial 
statements and single audit. However, the single audit report of both the component unit 
and the larger entity must clearly describe what is included and not included in their 
respective single audits. 


9.3(j) Clarify that the Compliance Supplements set forth the major compliance 
requirements that should be considered in a single audit. Federal agencies have 
identified the requirements in the Compliance Supplements as significant to the programs 
and auditors should be encouraged to use the supplements. However, the auditor is 
responsible for ensuring that significant requirements that are modified because of 
changes in laws or regulations are included. The auditor should be prepared to justify 
any departures from a Compliance Supplement. 


Separate Compliance Supplements have been developed for A-128 and A-133 which set 
forth the major compliance requirements that should be considered in performing single 
audits. The Act and its implementing regulations do not define the purpose or authority 
of the Compliance Supplements. 


9.3(k) Update an A-128 reference to reflect the Common Rule. The reference in 
A-128, paragraph 8.b.(2)(b), to Attachment F of Circular A-102 should be changed to 
the Common Rule. 


9.3(1) Administer a single source for Federal single audit guidance. Federal single 
audit guidance is found in such sources as OMB circulars, the Compliance Supplements, 
the Common Rule, Questions and Answers on A-128 and A-133, PCIE Position 
Statements, PCIE Desk Review and QCR Guides, the Orange Book, Federal agency audit 
guides, and Government Auditing Standards. It is inefficient for the auditor to obtain and 
keep up with so many different sources of guidance. For example, an auditor in the field 
may need a particular document and it may take several weeks to order and receive it. 
Also, there is no single source for the auditor to check and verify that they have the most 
current version. 


A more efficient approach would be for one Federal organization to administer a single 
source for Federal single audit guidance. Possible approaches are to annually publish a 
book with copies of the most current guidance, annually issue the text in a format 
readable by most personal computers, or to administer a bulletin board that auditor’s 
could dial into and download the most current copy of the particular reference needed. 


9.3(m) Clarify the auditor’s responsibility to verify accuracy of Federal reports. 
The auditor is required to test financial and special reports submitted to Federal agencies. 
These reports are significant in maintaining accountability for Federal programs and may 


97 


be used in determining a recipient’s level of funding. However, the current procedures 
do not provide the auditor a method to determine whether the copy of the report the 
auditor tests is the same as the copy sent to the Federal agency. Where Federal agencies 
determine it is important to verify that the report tested by the auditor is the same as the 
report provided to the Federal agency, the Compliance Supplement should include 
appropriate procedures. 


For example, the Federal funding agency could sign and return to the recipient a copy 
of the report they received. The auditor could then test the copy that had been 
acknowledged by the Federal agency. Alternatively, the auditor could send the Federal 
funding agency a copy of reports to be tested and ask for either positive or negative 
confirmation that the copy provided is the same as the copy on file with the Federal 
funding agency. The Federal agency would then be expected to respond to the auditor 
within a short period (e.g., 21 days) if there were any differences. Similar confirmation 
procedures could be used by a subrecipient’s auditor in the case of a prime recipient. 


IMPLEMENTATION STRATEGY 


The OMB should take the lead in implementing these recommendations with 
changes as necessary to the Act, A-128, and the Compliance Supplement. Changes 
may also be needed to AICPA and PCIE guidance. 


9.4 Training 
Concern 


Current training for both auditors and program managers on single audits needs to be 
enhanced. 


Current Requirements 


Auditors are required to have training to meet the continuing education requirements of 
GAS. There are no specific training requirements for program managers. 


Responses 


OIG Staff, Auditor, and State/Local Manger responses indicated that adequate single audit 
training was available. Federal Program Managers indicated some concern about 
available training. As a whole, all four groups of respondents (OIG Staff, Auditors, 
Federal Program Managers, and State/Local Managers) indicated more concern about 
program officials’ understanding of the single audit than auditors’ understanding of it. 


By contrast, all four groups of respondents (OIG Staff, Auditors, Federal Program 
Managers, and State/Local Managers) provided narrative responses that indicated single 
audit training could be improved. Respondents said that auditors did not properly 
understand the Federal programs being audited. Auditors responded that program 
managers did not understand what was required by the Act and the limitations on 
projecting audit test results. Some Auditors felt that they were being required to provide 
more information than required by the Act. 


Task Force Analysis 


The Task Force believes that the differences between the objective and narrative questions 
may be related to the need for more specific program training. Currently generalized 
training is available for single audit concepts and auditing and reporting requirements. 
However, limited training is available to focus on individual Federal programs, groups 
of programs, or types of entities. For example, training should be available on the 
Federal programs normally found in a school district and how to audit them. 


The delivery of the training should include case studies; sample working papers; examples 


of typical internal controls; sample methods of testing and documenting tests; and 
procedures to identify, document, and report typical noncompliance. The training should 


99 


orient the non-Federal auditor to view areas where noncompliance is likely to occur with 
increased professional skepticism. This suggestion does not imply that the non-Federal 
auditor should look at additional requirements (as may be done by the OIG Staff or 
Federal Program Managers), but rather the non-Federal auditor should look very closely 
at the key requirements for programs tested as major. 


Recommendations 


9.4(a) Develop training programs to help program managers understand the single 
audit. The training should include examples of Federal programs and explain specifics 
on how the auditor would test the program. The examples should include what the single 
audit does and does not include. 


9.4(b) Provide training to help auditors understand the internal control and 
compliance requirements of specific Federal programs and types of entities. Program 
managers should be involved in the development and presentation of this training. This 
training should include areas of program vulnerability, the design of audit tests, and 
examples of working papers. Examples should also be provided on how to review and 
evaluate Controls Over Compliance. 


9.4(c) Develop case studies on auditing internal controls and compliance areas that 
are common to several Federal programs. Eligibility is an example of an area that is 
common to many Federal programs for which a generalized audit approach could be 


taught. 


IMPLEMENTATION STRATEGY 


The PCIE and program managers should work together to implement this 
recommendation. As necessary, assistance should be requested from professional 


100 


10 SINGLE AUDIT OBJECTIVES 


Concer 


The objectives of the Act may not have been achieved or there may be additional 
objectives that should be added to the Act. 


Current Requirements 
The stated objectives of the Act were to: 


< Improve the financial management of state and local governments with 
respect to Federal financial assistance programs; 


o Establish uniform requirements for audits of Federal financial assistance 
provided to state and local governments; 


o Promote the efficient and effective use of audit resources; and 


© Ensure that Federal departments and agencies, to the maximum extent 
practicable, rely upon and use audits done pursuant to the Act. 


Responses and Task Force Analysis 


The Task Force asked each respondent whether they believed each of the four objectives 
of the Act had been achieved. Overall, all groups of respondents (OIG Staff, Auditors, 
Federal Program Managers, State/Local Managers, and Small Government Managers) 
indicated the Act’s objectives had been achieved. State Auditors, State/Local Managers, 
and Small Government Manageis responded more strongly than other groups that 
financial management had been improved and audit resources were used more efficiently 
and effectively. The Task Force believes these groups would have a more direct 
knowledge of these benefits from single audits to their entities. 


All groups of respondents gave the strongest response that the Act established uniform 
audit requirements for audits of Federal financial assistance. 


All groups of respondents indicated that Federal departments and agencies generally relied 
upon and used the single audit work. However, the Task Force was concerned that 
Federal Program Managers, the group that should have the best knowledge of how well 
Federal agencies rely upon single audits, gave the lowest support that this objective had 
beer achieved. 


101 


The Task Force also provided a list of possible additional objectives for the Act and asked 
whether these would improve single audits. The additional objectives were for: 


° Single audits to provide program managers with information needed to 
carry out their responsibilities for Federal financial assistance; 


° Auditors to conduct program results audits for Federal financial assistance; 


c Auditors to conduct economy and efficiency audits for Federal financial 
assistance; 


. Recipient management to report on performance data for Federal financial 
assistance; and 


“ Auditors to provide assurances on recipient management’s reporting of 
performance data for Federal financial assistance. 


Except for the objective of providing program managers with the information they need 
to carry out their responsibilities, none of the additional objectives were supported by any 
of the groups of respondents.*' The strongest support for this objective was from 
Federal Program Managers, OIG Staff, and State/Local Managers. 


Recommendations 


Overall, the Task Force does not believe the survey results support a need to add 
objectives to the Act. However, the Task Force believes there is support to ensure that 
single audits provide program managers with the information they need to carry out their 
responsibilities for Federal programs. Providing this information to program managers 
will also help single audits to better achieve the fourth objective of the Act. The 
following recommendations in this report will help ensure single audits provide program 
managers with the information they need: 


Ref. Page Summary of Recommendation 

2.1 17 Improve audit coverage of nonmajor programs. 

4.1 51 Clarify the extent of internal control and compliance testing required. 
5.1 58 Reduce and simplify auditor’s reports. 


*' Small Government Managers were not asked questions about additional objectives. 
102 


5.2 
5.3 
5.4 
5.5 
5.6 
5.7 


5.8 


9.4(a) 


62 


Report design problems in Federal programs. 
Improve timeliness of audit reports. 

Identify the types of compliance requirements tested. 
Permit minor findings to be reported separately. 
Improve presentation of audit findings. 

Improve audit resolution. 


Improve audit followup. 


Develop training programs to help prcgram managers understand the 
single audit. 


103 


SAMPLING APPROACH Attachment 1 


Offices of Inspectors General 


Questionnaires were sent to staff members ("OIG Staff") in each of the OIGs that are 


involved with single audits. Questionnaires were sent to both field and headquarters 
offices. A total of 35 questionnaires were sent to OIG Staff. 


For OIG Staff only, two different sets of questionnaires were sent. The first was the 
questionnaires which were the same for the four groups as discussed on page 4. The 
second was the questionnaires concerning dollar thresholds for audits as discussed in 
section 1.1 on page 14. 


Auditors 


The Task Force was unable to develop a method to identify the population of all auditors 
performing single audits. However, the Task Force developed the following sampling 
approach to be representative of auditors performing single audits. 


State Auditors 


First, questionnaires were sent to all State Auditors (members of the National State 
Auditors Association). Although there are only 50 states, 53 questionnaires were sent 
because some states have more than one auditor working with single audits. 


IPAs 


Next, the Task Force developed a sample of Independent Public Accountants ("IPAs"). 
First a random sample of entities having a single audit selected by the Clearinghouse (see 
State and Local Managers on page 105). A questionnaire was sent to the IPA who 
performed the single audit. In using this selection the Task Force eliminated any 
duplication of the same audit office. State Auditors were also eliminated since a separate 
sample was used for them. 


This selection was supplemented with 15 largest U.S. CPA firms (based on revenue for 
the most recent fiscal year) as reported by Accounting Today (September 24, 1990). The 
Task Force contacted the firms and sent questionnaires only to firms that conducted single 
audits. 


Finally, the Task Force asked the OlGs to provide the name of any audit firms they 
wished to add to the sample because those firms did substantial work on their agency's 
programs. A total of 150 questionnaires were sent to IPAs. 


104 


Federal Program Managers 


The Task Force developed a three level approach for sending the questionnaires to 
Federal Program Managers. 


First, from the Compliance Supplement (revised September 1990) which included audit 
information covering 78 of the larger Federal programs, the Task Force selected every 


other Federal Program (39 programs). 


Second, the 1990/91 U.S. Government Manual was used to judgmentally identify nine 
additional smaller Federal programs from Independent Establishments and Government 
Corporations that may be involved in single audits. 


Third, two additional Federal programs not included in the Compliance Supplement that 
were administered from larger Federal Agencies were judgmentally selected. 


Using the Catalog of Federal Domestic Assistance the Task Force identified contact 
persons for each of the 50 programs selected. Each contact person was called to identify 
a Federal official who worked in three areas of responsibility for each program. The 
three areas were administration, funding, and audit resolution. Sometimes one official 
was responsible for one or more of the functions, and sometimes a different official was 
responsible for each function. A total of 98 questionnaires were sent to Federal Program 


Managers. 


State and Local Government Managers 


First, a sample of single audits submitted to the Clearinghouse during the period July 1, 
1990 through June 30, 1991, was randomly selected by the Clearinghouse. The audits 
selected were primarily of smaller local governments. As a result, 147 questionnaires 
were sent to small local government managers ("Small Government Managers"). 


Since this original sample included only small local governments, a separate sample was 
judgmentally selected to represent states and large local governments. Questionnaires 
were sent to program managers ("State/Local Managers") in all 50 states plus a 


judgmental sample of the 20 largest local governments. A total of 170 questionnaires was 
sent to this group. 


105 


Attachment 2 
EXAMPLE OF GENERIC COMPLIANCE SUPPLEMENT 


The Compliance Supplement identifies the significant compliance requirements for most 
of the larger programs. Compliance requirements are considered significant when 
noncompliance could have a material effect on the program. 


Although the supplement lists programs that provide over 90 percent of the Federal aid 
to state and local governments, there are many programs that are not listed. This 
appendix provides guidance on identifying compliance requirements for programs not 
listed in the Compliance Supplement and some generic procedures to test those 
requirements. 


SUGGESTED AUDIT PROCEDURES FOR IDENTIFYING COMPLIANCE 
REQUIREMENTS 


e If the auditor does not know what laws, regulations, or other requirements apply 
to the program, the auditor can determine the applicable requirements by: 


fe) Discussing the program with the client. (The client’s identification of the 
applicable laws, regulation or other requirements should be corroborated by 
performing one or more of the other procedures below, as necessary.) 


O Reviewing the program award document or agreement, including any 
amendments or close out agreements. These documents or agreements may 


reference particular laws and regulations applicable to the program and 
identify the name and phone number of a Federal contact person. 


) Reviewing the Catalog of Federal Domestic Assistance ("CFDA"). The 
CFDA provides summary information about each program and includes the 
name and phone number of a Federal contact person. 


fe) Determining if there is a program audit guide or agency prepared 
Compliance Supplement issued by the Federal Agency’s OIG and, if so, 
reviewing it. The availability of a program audit guide or Compliance 
Supplement can be determined by consulting the PCIE publication, Revised 
Program Audit Guide Listing (available from the Government Printing 
Office) or by contacting the appropriate Regional OIG. 


° The auditor should obtain and review the award document/agreement, applicable 
laws, regulations, and other requirements to identify compliance requirements to 


106 


be tested. Generally, the auditor should identify for testing any significant 
requirements in the compliance categories A through J below. 


If the auditor cannot determine from this review what requirements are significant, 
the auditor should call the contact person identified in the CFDA or award 
document. This contact may be particularly important for any compliance 
requirements that would not fit under the categories A through I below, and thus 
would be category J, Special Tests and Provisions. 


COMPLIANCE REQUIREMENT CATEGORIES 


A. 


Types of Services Allowed or Unaliowed. This category includes requirements 
that specify the activities or types of activities that can and cannot be funded by 
the program. It also includes requirements that mandate that certain activities be 
undertaken. 


Suggested Audit Procedures 


e Test expenditure and related records to determine that funds were used for 
allowed activities. 


e Scan expenditure records for large transfers from program accounts and 
determine if any such transfers went to fund unallowable activities. 


e Review financial and project records to determine if required activities were 
performed. 


e If funds are passed through to subrecipients, test approved subrecipient 
applications or agreements to determine whether approved activities were 
allowable. 


Allowable Costs/Cost Principles. Federal cost principles are designed to ensure 
that Federally assisted programs bear their fair share of recognized costs as 
determined by allowable cost principles. For a further description of the 
requirements and the suggested audit procedures see the Aliowable Costs\Cost 
Principles section in the appendix to this Compliance Supplement.“ 


exceptions, are subject the provisions of Uniform Administrative Requirements for 


© This sentence refers to an appendix to the Compliance Supplement that contains those compliance 
requirements and suggested audit procedures that are applicable to all programs (See recommendation 3.2(d) 
on page 35). 


107 


Grants and Cooperative Agreements to State and Local Governments (Common 
Rule). For further description of the these requirements and suggested audit 
procedures sce the Administrative Requirements section in the appendix to this 
Compliance Supplement.“ 


Eligibility. Many programs have specific eligibility requirements to limit 
assistance to certain activities or groups of individuals. 


Suggested Audit Procedures 


e Review a representative sample of participant records, and determine 
whether prescribed procedures were followed and whether the participants 
were eligible. 


Matching, Level of Effort, and/or Earmarking Requirements. Matching 
requirements include requirements to provide in-kind contributions, or matching 
funds on a one-to-one or percentage basis. 


Level of effort requirements include provisions that require a certain level of 
service be provided from year to year or a certain level of expenditures (may be 
either non-Federal or Federal) for specified activities be maintained from period 
to period. These requirements frequently specify that certain classes of 
expenditures are not to be included in the calculations. For example, certain 
programs only allow operating expenditures to be considered and prohibit capital 
expenditures or debt service from being included. Grantees are usually required 
to maintain specific summary records or reports documenting compliance with this 
type of requirement. 


Level of effort requirements also include provisions that require Federal funds to 
supplement and not supplant non-Federal funding of services and/or requirements 
thai specified services provided prior to Federal funding not be discontinued. 
Requirements that Federal program beneficiaries receive a comparable level of 
locally funded benefits/services (comparability) as nonprogram participants may 
also be included in this category. 


Earmarking requirements include requirements that limit the amount of funds that 
can be used for administrative purposes or specified programmatic activity, 
including amounts that can be subawarded. They also include requirements that 
specify amounts or percentages of funds to be used for specified activities. 


” See footnote 42 on page 107. 


108 


Suggested Audit Procedures 


For matching requirements: 


O 


Review the summary documentation to determine if the required 
levels of matching were met. 


Test matching costs claimed for conformity to cost principles and to 
determine whether they were for services or activities eligible to be 
counted as matching costs. 


On a test basis, trace amounts claimed for matching to supporting 
documentation. 


For level of effort requirements that relate to maintaining certain 
funding levels: 


1) 


Review grantee’s summary records or reports documenting level of 
effort amounts/computations to determine if appropriate levels were 
maintained. Verify the accuracy of any computations. 


Review types of expenditures included in the computations to 
determine whether they are the same expenditure categories for each 
period being compared and to assure that only allowed classes of 
expenditures are included. 


Trace amounts included in the computations to the books and records 
from which the audited financial statements were prepared. 


For level of effort requirements requiring certain services be performed 
or not performed: (procedures identified above for requirements to 


maintain funding levels may also be applicable to these requirements) 


O 


Review expenditure and other records (e.g., activity reports, 
budgets) as needed, to determine whether required activities were 
funded and/or, as applicable, were charged appropriately (e.g., to 
local or Federal accounts). 


For supplement, not supplant requirements: (procedures identified 
above for requirements to maintain funding levels may also be 
applicable to these requirements) 


109 


O Determine whether any Federally funded activities in the current 
year were locally funded in the prior year. 


O When performing other Federal expenditure testing, be alert for 
expenditures charged to the program that appear to be for activities 
that the entity would have to carry out or costs that it would have to 
incur irrespective of the Federal funding. Followup on any items to 
determine if Federal funds supplanted non-Federal funds. 


O Determine whether Federally funded activities received their fair 
share of non-Federal funds when compared to non-Federal activities 


(comparability). 
e For earmarking requirements: 


O Review financial and related records and determine if expenditure 
amounts were in accordance with the requirements and limitations. 


O Review a representative sample of transactions to assure they are 
appropriately classified. (This procedure may have been done as 
part of other testing.) 


F. Special Reporting Requirements.“ Many programs require submission of special 
financial or performance and evaluation reports. 


Suggested Audit Procedures 
e Review the procedures for preparing the reports and evaluate for adequacy. 


e Trace amounts reported to books and/or supporting documentation as 
appropriate. 


G. Federal Financial Reporting Requirements.“ Most programs require certain 
common financial reports to be submitted. For a further description of these 
reporting requirements and related suggested audit procedures, see the Financial 
Reporting section in the appendix to this Compliance Supplement.“ 


“ See recommendation 9.3(m) on page 97 to clarify the auditor’s responsibility to verify accuracy of Federal 
reports. 


See footnote 44 on page 110. 


“ See footnote 42 on page 107. 


110 


Suggested Audit Procedures 
e Review the procedures for preparing the reports and evaluate for adequacy. 


e Trace amounts reported to books and/or supporting documentation 2s 
appropriate. 


Cash Management. Grantee financial management systems shall include 
procedures to minimize the time elapsed between the transfer of funds from the 
U.S. Treasury and the disbursement of funds by the grantee. Advances made by 
primary recipients to secondary recipients shall conform substantially to the same 
standards of timing and amount as apply to advances by Federal agencies to 
primary recipient organizations. For further information and suggested audit 
procedures see the Cash Management section of the appendix to this Compliance 
Supplement.“ 


Subrecipient Monitoring. 


Federal financial assistance to state and local governments is often passed through 
to subrecipients. A-128 requires these prime recipient governments to carry out 
specific oversight functions for subrecipients. 


Suggested Audit Procedures 


e Review awards made to subrecipients to determine whether the recipient 
Clearly identified to the subrecipient the Federal amount, CFDA number, 
and program name. 


e Review and evaluate controls designed by the recipient to ensure that 
subrecipients expend Federal assistance funds provided in accordance with 
applicable laws and regulations. 


e Test to determine whether the recipient performs proper monitoring 
procedures to ensure subrecipients expend Federal assistance funds provided 
in accordance with applicable laws and regulations. 


e Review and evaluate controls designed by the recipient to ensure that 
subrecipients comply with applicable audit requirements. 


*’ See footnote 42 on page 107. 


111 


e Test to determine that required subrecipient audits are received and 
reviewed by the recipient to ensure they comply with applicable audit 
requirements. 


e Review and evaluate controls designed by the recipient to ensure that 
appropriate corrective action is taken within six months after receipt of the 
audit report in instances of noncompliance with Federal laws and 
regulations by subrecipients. 


e Review subrecipient audits that included findings and test to determine 
whether the recipient has made a determination on corrective action with 
appropriate followup. 


e Review and evaluate controls designed by the recipient to ensure that 
findings included in subrecipient audits that may be of a magnitude to 
necessitate adjustment of the recipient’s own records are identified and that 
appropriate adjustments are made. 


e Test subrecipient audits and recipient records to determine compliance with 


J. Special Tests and Provisions. Many programs contain significant provisions that 
do not fit within the above categories. Two such requirements, Davis-Bacon and 
Relocation Assistance/Real Property Acquisitions requirements are the same for 
all programs to which they apply. A further description of these two requirements 
and related suggested audit procedures is contained in separate sections of the 
appendix to this Compliance Supplement.“ 


Suggested Audit Procedures 


e Auditors should follow the guidance above for identifying compliance 
requirements. Sometimes, significant special provisions will be obvious, 
because they directly relate to or affect the purpose of the program. In 
other cases, the auditor may not be able to identify which, if any, 
provisions are considered significant for single audit purposes. The auditor 
is encouraged to contact the Federal program contact identified in the steps 
outlined above for identifying compliance requirements. The auditor should 
design appropriate tests for any significant requirements identified. 


“ See footnote 42 on page 107. 
112 


EXAMPLE OF COMPLIANCE MATRIX Attachment 3 
(See recommendation 5.4(a) on page 68) 


U.S. Department of Agriculture 
Major Programs 


CFDA Number 


(See 3.2(a) on page 33) 


Types of Services Allowed or 
Unallowed 


Allowable Costs/Cost Principles 


Administrative Requirements 


Eligibility 
Matching, Level of Effort, and/or 
Earmarking 


Special Reporting 


Federal Financial Reports 


Cash Management 


Subrecipient Monitoring 


Special Tests and Provisions 


Note: 
Yes or No in each block indicates whether tests were performed for this 
requirement. Normally this will be because the tests were not applicable. An 
explanation should be provided when the auditor was unable or otherwise did not 
perform applicable tests. 


113 


Attachment 4 
RESPONSIBILITIES FOR IMPLEMENTING RECOMMENDATIONS 


of Recommendations OMB | PCIE | AICPA | Other 
1.1 Raise dollar threshold for audit 


2.1 Improve coverage of nonmajor programs 
2.2 Risk-based approach to determine programs 
tested as major--Pilot in audits of states 


3.1U i y 
3.2 Revise general & specific compliance 

3.3 Clarify civil rights and drug-free workplace 
3.4 Add C/S section on internal controls 

3.5 Inform auditors of high risk programs 

3.6 Improve C/S program guidance 

3.7 Subrecipient monitoring _ 

3.8 Define clusters of programs in C/S 

4.1 Clarify 1/C and compliance testing required 
4.2 under a common system of I/C 
5.1 Reduce and simplify auditor’s reports 


P = 4 GAO (P) 
P GAO (P) 


& |e |k 


oe he eho he h-hh he he - he - 2 he] 


”a io im 1m 
~~ 


5.2 Report design problems in Federal 

5.3 Improve timeliness of reports 

5.4 Identify types of compliance tested 

5.5 Permit minor findings to be Act 
5.6 Improve presentation of audit 

5.7 Improve audit resolution 

5.8 Improve audit followup 


S GAO (S) 
S GAO (S 


mA im [wm Io Io 


wu Polo lu lo im 


S GAO (S) 


6.1 Maj at multi ing units 
7.1 ity of subrecipient audits 

8.1 evaluate and audit 

9.1 Identification of Federal funds 

9.2 to be consistent with A-133 
9.3 Clarify and support existing guidance 
9.4 Training 


wu Tol To ie 


Act 
Act 


”n 


M 
Tramers (S) 


P = Primary responsibility; S = Secondary responsibility; State Aud = State auditors; 
Prog Mgr = Program managers; C/S = Compliance Supplement; I/C = Internal controls 


114 


